Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Laravel v5.4.36 vulnerabilities #69

Closed
maxvisser opened this issue May 8, 2018 · 2 comments
Closed

Laravel v5.4.36 vulnerabilities #69

maxvisser opened this issue May 8, 2018 · 2 comments
Projects
Forus

Comments

@maxvisser
Copy link

maxvisser commented May 8, 2018
edited
Loading

$1: Acknowledgement

The decrypt function in laravel can be exploited. I scanned the code for this specific function, couldn't find any hits. If Valentin uses it in a next update please upgrade to a newer version of Laravel.

Resources:

https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0

$2: Potential security risk

Laravel also misuses the remember_me token until 5.5.10 that sets it open for a timing attack.

I could find remember_me in the code: https://github.com/teamforus/forus-backend/search?utf8=%E2%9C%93&q=remember_me&type=

Resources:

laravel/framework#21320

Question: please check these vulnerabilities in laravel
@maxvisser maxvisser changed the title Lavaral v5.4.36 encrypter vulnerability Lavaral v5.4.36 vulnerability's May 8, 2018
@maxvisser maxvisser changed the title Lavaral v5.4.36 vulnerability's Lavaral v5.4.36 vulnerabilities May 8, 2018
@maxvisser maxvisser changed the title Lavaral v5.4.36 vulnerabilities Laravel v5.4.36 vulnerabilities May 8, 2018
@maxvisser maxvisser added this to Backlog in Forus via automation May 8, 2018
@danrminds
Copy link
Contributor

Functions not used currently

Forus automation moved this from Backlog to Review 🔎 May 8, 2018
@maxvisser maxvisser assigned maxvisser and unassigned dev-rminds and danrminds May 9, 2018
@maxvisser maxvisser removed the question label May 9, 2018
@maxvisser
Copy link
Author

Thanks for checking.

@maxvisser maxvisser moved this from In review 🔎 to 🎉 Done! 🎉 in Forus May 9, 2018
@ghost ghost unassigned maxvisser Jun 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Forus
  
🎉 Done! 🎉
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maxvisser @dev-rminds @danrminds