[PHPBB3-11873] Prevent expensive hash computation in phpbb_check_hash() by rejecting very long passwords

XML

Word

Printable

Details

Type: Improvement
Status: Unverified Fix (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.12-RC3
Fix Version/s: 3.0.12
Component/s: None
Labels:
None

GitHub Pull Request URL:
https://github.com/phpbb/phpbb3/pull/1740

Description

We are using the phpass hashing scheme which uses 2^11 rounds of md5 to compute the final password hash. While 2^11 = 2048 is a constant number, this means that a very long password of 1 MiB of data will result in 2 GiB being processed by md5(). This is unnecessary and can be easily prevented by rejecting very long passwords, say those that are longer than 4 KiB.

Attachments

Activity

People

Assignee:: Joas Schilling

Reporter:: Andreas Fischer [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 28/Sep/13 1:03 AM

Updated:: 28/Sep/13 1:04 PM

Resolved:: 28/Sep/13 1:04 PM