Skip to content
Snippets Groups Projects
Commit 24e9e17a authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[TASK] Streamline frontend user password recovery process 

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Resolves: #89952
Releases: master, 10.2, 9.5, 8.7
Change-Id: Idcb7b7d6eb418124dc17f1707284b6abe8a8b63b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62690


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent 8475eb6d
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment