-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Username disclosure #631
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/ZF-Commons/ZfcUser/blob/1.x/src/ZfcUser/Authentication/Adapter/Db.php
The way the user / login is performed is potentially disclosing the username due to the fact that the operation for an existing user is way different then one for an inexistent one.
I'm not an expert in security btw, but please take a look at:
http://blog.ircmaxell.com/2014/11/its-all-about-time.html
And probably the comparison / hashing should be updated to use hash_password and hash_equals (there is a compatibility library if the version of php doesn't support such):
https://github.com/ircmaxell/password_compat
Cheers,
LF
The text was updated successfully, but these errors were encountered: