Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#3832] - Remove Possibility of Timing Attacks

? Success

User tests: Successful: Unsuccessful:

avatar sarciszewski
sarciszewski
25 Jun 2014

https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx

Let's not compare hashes in a way that creates cryptographic
side-channels.

When you compare two hashes with the == or === operators, PHP will
internally use memcmp() which returns false after the first byte fails
to match. This creates a side-channel (known in the literature as a
timing attack).

This patch uses hash_hmac() of the expected and supplied strings with a
random 32-byte nonce (a number to be used once) for each comparison,
thus making timing attacks useless. (The output for the comparison
operation is no longer attacker-controllable, so attempting to measure
the time an request takes to fail is useless.)

avatar sarciszewski sarciszewski - open - 25 Jun 2014
avatar brianteeman brianteeman - change - 21 Aug 2014
Status New Pending
avatar nicksavov nicksavov - change - 21 Aug 2014
Labels Removed: ?
avatar CedricTakongmo
CedricTakongmo - comment - 21 Aug 2015

Hi guy,
I could not test this issue. I got this error "The patch could not be applied because the repository is missing". I'm on Joomla! 3.4.4-dev.

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/3832.

avatar CedricTakongmo CedricTakongmo - test_item - 21 Aug 2015 - Tested unsuccessfully
avatar sarciszewski
sarciszewski - comment - 21 Aug 2015

Use #4206 instead

avatar sarciszewski sarciszewski - change - 21 Aug 2015
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2015-08-21 13:33:39
Closed_By sarciszewski
avatar sarciszewski sarciszewski - close - 21 Aug 2015

Add a Comment

Login with GitHub to post a comment