From: Platonides <platonides@gmail.com>
Date: Fri, 13 Apr 2012 20:37:33 +0000 (+0200)
Subject: (bug 35961) Hash comparison should always be strict.
X-Git-Tag: 1.31.0-rc.0~23873^2
X-Git-Url: https://git.cyclocoop.org/%27.%24link.%27?a=commitdiff_plain;h=bc7840f7d47ccd69bb2dae7030acc85eada4b312;p=lhc%2Fweb%2Fwiklou.git

(bug 35961) Hash comparison should always be strict.

If your salted password end up being completely numeric when
represented in hexadecimal (less than 1 password per 10 millions),
it is also possible to login by providing another password that only
matches the first 9 bytes (instead of the full 16 ones) if it turns out
to also be completely numeric with your assigned salt (which is completely unknown).
The odds of finding an equivalent password with such characteristics, over a double md5
with an unknown salt, are really low. Even if the attacker broke into the servers and
robbed the salts, making use of this property would require a preimage attack of a partial
md5 (2^18) with the output of another md5 hash, for which a full preimage would still be
needed. Breaking the hashes using conventional attacks would be easier, so this is not
a critical update.

Change-Id: I8d1153fb91ca6507bd1df91e9953561f74f12ef6
---

diff --git a/includes/User.php b/includes/User.php
index af923ffeeb..d3332fdd76 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -3924,7 +3924,7 @@ class User {
 		} elseif ( $type == ':B:' ) {
 			# Salted
 			list( $salt, $realHash ) = explode( ':', substr( $hash, 3 ), 2 );
-			return md5( $salt.'-'.md5( $password ) ) == $realHash;
+			return md5( $salt.'-'.md5( $password ) ) === $realHash;
 		} else {
 			# Old-style
 			return self::oldCrypt( $password, $userId ) === $hash;