[PHPBB3-11343] Loose string comparison during new password activation

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.11
Fix Version/s: 3.0.12-RC1
Component/s: User Control Panel (UCP)
Labels:
None

GitHub Pull Request URL:
https://github.com/phpbb/phpbb3/pull/1219

Description

Although request_var() takes care of casting user input to the appropriate type, when comparing strings in a security context, it is required to use strict comparison (===). This is because e.g. "10" == "1e1" evaluates to true which might weaken security properties (e.g. when comparing to a random string).

Attachments

Issue Links

blocks

PHPBB3-11327 Implement reset password functionality via form instead of sending password

Unverified Fix

Activity

People

Assignee:: Andreas Fischer [X] (Inactive)

Reporter:: David King [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 25/Jan/13 6:22 PM

Updated:: 22/Jan/17 4:01 PM

Resolved:: 27/Jan/13 10:55 PM