Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11873

Prevent expensive hash computation in phpbb_check_hash() by rejecting very long passwords

    Details

    • Type: Improvement
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.12-RC3
    • Fix Version/s: 3.0.12
    • Component/s: None
    • Labels:
      None

      Description

      We are using the phpass hashing scheme which uses 2^11 rounds of md5 to compute the final password hash. While 2^11 = 2048 is a constant number, this means that a very long password of 1 MiB of data will result in 2 GiB being processed by md5(). This is unnecessary and can be easily prevented by rejecting very long passwords, say those that are longer than 4 KiB.

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            nickvergessen Joas Schilling
            Reporter:
            bantu Andreas Fischer
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development