Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yii2 vulnerability to "BREACH" attacks? #1634

Closed
docsolver opened this issue Dec 26, 2013 · 1 comment
Closed

Yii2 vulnerability to "BREACH" attacks? #1634

docsolver opened this issue Dec 26, 2013 · 1 comment

Comments

@ghost
Copy link
Contributor

@ghost ghost commented Dec 26, 2013

I just read about a new type of attack, introduced at this year's Black Hat conference: http://breachattack.com/

It is not application-specific: apparently the attack works on any website using HTTP compression (which is default in Apache as far as I know), user data being returned in the HTTP response body and a CSRF token being served.

To what extend would a vanilla Yii2 setup on a LAMP machine with default settings be vulnerable?

@qiangxue qiangxue closed this in c896016 Dec 26, 2013
@ghost
Copy link
Contributor Author

@ghost ghost commented Dec 26, 2013

Thanks for the quick response!

tonydspaniard added a commit to tonydspaniard/yii2 that referenced this issue Dec 27, 2013
* upstream: (21 commits)
  Fixes yiisoft#1643: Added default value for `Captcha::options`
  Fixes yiisoft#1654: Fixed the issue that a new message source object is generated for every new message being translated
  Allow dash char in ActionColumn’s button names.
  Added SecurityTest.
  fixed functional test when enablePrettyUrl is false.
  fixed composer.json
  minor doc fix.
  Fixes yiisoft#1634: Use masked CSRF tokens to prevent BREACH exploits
  Use better random CSRF token.
  GII unique indexes avoid autoIncrement columns
  updated debug retry params.
  Added sleep().
  Added unit test for ActiveRecord::updateAttributes().
  Fixes yiisoft#1641: Added `BaseActiveRecord::updateAttributes()`
  Fixed yiisoft#1504: Debug toolbar isn't loaded successfully in some environments when xdebug is enabled
  Mongo README.md updated.
  Fixes yiisoft#1611: Added `BaseActiveRecord::markAttributeDirty()`
  Number validator was missing
  Fixes yiisoft#1638: prevent table names from being enclosed within curly brackets twice.
  Unique indexes rules for single columns into array
  ...
KJLJon added a commit to KJLJon/yii that referenced this issue Nov 6, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
0 participants
You can’t perform that action at this time.