You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi Team,
First of all, thanks for taking the time to read this.
I was looking for timing attacks in public repositories and find a security issue similar to a previous one #1089 but in another code section:
A simple strict equals sign === is used for hash comparison, which is vulnerable to timing attack. I think that hash_equals() could be used instead. It's seems that this portion of code is part of the legacy _password_verify_sha1_legacy function so I don't know if you want to fix it or not, but only want to notice you.
Have a great week, Thanks!
The text was updated successfully, but these errors were encountered:
Hi Team,
First of all, thanks for taking the time to read this.
I was looking for timing attacks in public repositories and find a security issue similar to a previous one #1089 but in another code section:
CodeIgniter-Ion-Auth/models/Ion_auth_model.php
Line 2779 in 72352df
A simple strict equals sign
===
is used for hash comparison, which is vulnerable to timing attack. I think thathash_equals()
could be used instead. It's seems that this portion of code is part of the legacy_password_verify_sha1_legacy
function so I don't know if you want to fix it or not, but only want to notice you.Have a great week, Thanks!
The text was updated successfully, but these errors were encountered: