Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11873

Prevent expensive hash computation in phpbb_check_hash() by rejecting very long passwords

    XMLWordPrintable

Details

    • Improvement
    • Status: Unverified Fix (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.0.12-RC3
    • 3.0.12
    • None
    • None

    Description

      We are using the phpass hashing scheme which uses 2^11 rounds of md5 to compute the final password hash. While 2^11 = 2048 is a constant number, this means that a very long password of 1 MiB of data will result in 2 GiB being processed by md5(). This is unnecessary and can be easily prevented by rejecting very long passwords, say those that are longer than 4 KiB.

      Attachments

        Activity

          People

            nickvergessen Joas Schilling [X] (Inactive)
            bantu Andreas Fischer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: