-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Magic Hash Vulnerability #8326
Comments
Use strict verification of legacy Joomla MD5 hash (Fix #8326)
Another suggestion: use a timing safe comparison. (Also: make this use |
👍 From code review standpoint, the referred commit as well as follow-up commits seem to address this issue properly. Btw, Joomla upgrades the stored password hash at each login if needed. Thus, this issue can only occur on a very old account that has not been logged in for a very long time, or on a very old unmaintained Joomla installation (one of these has to be older than around 3 years so that the password hasn't been upgraded at a login with a recent Joomla version yet for that compare case to occur). |
joomla-cms/libraries/joomla/crypt/password/simple.php
Line 151 in ec8a72f
You're using the non-strict equality operator to compare hashes...
http://blog.astrumfutura.com/2015/05/phps-magic-hash-vulnerability-or-beware-of-type-juggling/
cc @padraic @ircmaxell @enygma
The text was updated successfully, but these errors were encountered: