Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#8326] - Magic Hash Vulnerability

?
avatar paragonie-scott
paragonie-scott
8 Nov 2015

https://github.com/joomla/joomla-cms/blob/ec8a72f4cd0519786b9001dd3dd593131e7d32d2/libraries/joomla/crypt/password/simple.php#L151

You're using the non-strict equality operator to compare hashes...

http://blog.astrumfutura.com/2015/05/phps-magic-hash-vulnerability-or-beware-of-type-juggling/

cc @padraic @ircmaxell @enygma

avatar paragonie-scott paragonie-scott - open - 8 Nov 2015
avatar mbabker mbabker - reference | aa7d0ac - 9 Nov 15
avatar brianteeman brianteeman - close - 9 Nov 2015
avatar mbabker mbabker - change - 9 Nov 2015
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-11-09 00:52:43
Closed_By mbabker
avatar mbabker mbabker - close - 9 Nov 2015
avatar mbabker mbabker - close - 9 Nov 2015
avatar wilsonge wilsonge - reference | 1529d8f - 9 Nov 15
avatar paragonie-scott
paragonie-scott - comment - 9 Nov 2015

Another suggestion: use a timing safe comparison.

(Also: make this use hash_equals() in PHP 5.6+.)

avatar mbabker
mbabker - comment - 9 Nov 2015

There was a pull request for that at one point (#4206 then #7754) but in pretty typical manner around these parts it was over the head of most folks testing/reviewing patches and ended up abandoned/closed.

avatar beat
beat - comment - 14 Nov 2015

:+1: From code review standpoint, the referred commit as well as follow-up commits seem to address this issue properly.

Btw, Joomla upgrades the stored password hash at each login if needed. Thus, this issue can only occur on a very old account that has not been logged in for a very long time, or on a very old unmaintained Joomla installation (one of these has to be older than around 3 years so that the password hasn't been upgraded at a login with a recent Joomla version yet for that compare case to occur).

avatar brianteeman brianteeman - change - 14 Dec 2015
Labels Added: ?

Add a Comment

Login with GitHub to post a comment