Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11343

Loose string comparison during new password activation

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.11
    • Fix Version/s: 3.0.12-RC1
    • Labels:
      None

      Description

      Although request_var() takes care of casting user input to the appropriate type, when comparing strings in a security context, it is required to use strict comparison (===). This is because e.g. "10" == "1e1" evaluates to true which might weaken security properties (e.g. when comparing to a random string).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bantu Andreas Fischer
                Reporter:
                imkingdavid David King
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: