Closed Bug 907438 Opened 9 years ago Closed 9 years ago
SQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force
Similar to bug 906745, when we check the database for validity of a users login cookie, MySQL does not do the check in a case-sensitive manner which lowers the bar to brute forcing someone's login cookie. We do store the IP address which helps some but it would be better if we pulled the cookie value from the db and then did the comparison in Perl like we did for the fix for bug 906745. Feel free to remove the privacy bit if you feel this is not necessarily a security problem but more of an enhancement. dkl
Target Milestone: --- → Bugzilla 4.0
Comment on attachment 793654 [details] [diff] [review] patch for 4.4 and older r=LpSolit
Attachment #793654 - Flags: review?(LpSolit) → review+
This patch now longer applies cleanly on trunk due to bug 917669. The comment right above |if (...)| has changed. dkl: could you update it, please, as you are responsible for the bitrot? ;)
Fixed bit-rot. dkl
Attachment #810769 - Attachment description: 907438_2.patch → patch for trunk
Committing to: bzr+ssh://email@example.com/bugzilla/4.0 modified Bugzilla/Auth/Login/Cookie.pm Committed revision 7758. Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/4.2 modified Bugzilla/Auth/Login/Cookie.pm Committed revision 8230. Committing to: bzr+ssh://email@example.com/bugzilla/4.4 modified Bugzilla/Auth/Login/Cookie.pm Committed revision 8622. Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/trunk modified Bugzilla/Auth/Login/Cookie.pm Committed revision 8776.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Security advisory sent.
You need to log in before you can comment on or make changes to this bug.