Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11343

Loose string comparison during new password activation

    XMLWordPrintable

Details

    Description

      Although request_var() takes care of casting user input to the appropriate type, when comparing strings in a security context, it is required to use strict comparison (===). This is because e.g. "10" == "1e1" evaluates to true which might weaken security properties (e.g. when comparing to a random string).

      Attachments

        Issue Links

          Activity

            People

              bantu Andreas Fischer
              imkingdavid David King
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: