New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yii2 vulnerability to "BREACH" attacks? #1634

Closed
docsolver opened this Issue Dec 26, 2013 · 1 comment

Comments

Projects
None yet
1 participant
@ghost
Contributor

ghost commented Dec 26, 2013

I just read about a new type of attack, introduced at this year's Black Hat conference: http://breachattack.com/

It is not application-specific: apparently the attack works on any website using HTTP compression (which is default in Apache as far as I know), user data being returned in the HTTP response body and a CSRF token being served.

To what extend would a vanilla Yii2 setup on a LAMP machine with default settings be vulnerable?

@qiangxue qiangxue closed this in c896016 Dec 26, 2013

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Dec 26, 2013

Contributor

Thanks for the quick response!

Contributor

ghost commented Dec 26, 2013

Thanks for the quick response!

tonydspaniard added a commit to tonydspaniard/yii2 that referenced this issue Dec 27, 2013

Merge branch 'upstream' into 364-toAscii
* upstream: (21 commits)
  Fixes #1643: Added default value for `Captcha::options`
  Fixes #1654: Fixed the issue that a new message source object is generated for every new message being translated
  Allow dash char in ActionColumn’s button names.
  Added SecurityTest.
  fixed functional test when enablePrettyUrl is false.
  fixed composer.json
  minor doc fix.
  Fixes #1634: Use masked CSRF tokens to prevent BREACH exploits
  Use better random CSRF token.
  GII unique indexes avoid autoIncrement columns
  updated debug retry params.
  Added sleep().
  Added unit test for ActiveRecord::updateAttributes().
  Fixes #1641: Added `BaseActiveRecord::updateAttributes()`
  Fixed #1504: Debug toolbar isn't loaded successfully in some environments when xdebug is enabled
  Mongo README.md updated.
  Fixes #1611: Added `BaseActiveRecord::markAttributeDirty()`
  Number validator was missing
  Fixes #1638: prevent table names from being enclosed within curly brackets twice.
  Unique indexes rules for single columns into array
  ...

KJLJon added a commit to KJLJon/yii that referenced this issue Nov 6, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment