Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11343

Loose string comparison during new password activation

    XMLWordPrintable

    Details

      Description

      Although request_var() takes care of casting user input to the appropriate type, when comparing strings in a security context, it is required to use strict comparison (===). This is because e.g. "10" == "1e1" evaluates to true which might weaken security properties (e.g. when comparing to a random string).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bantu Andreas Fischer
              Reporter:
              imkingdavid David King
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: