diff options
author | Florian Pritz <bluewind@xinu.at> | 2014-05-13 11:06:46 +0200 |
---|---|---|
committer | Florian Pritz <bluewind@xinu.at> | 2014-05-13 11:06:46 +0200 |
commit | 110b467503f7a749aec685be445468c0f98b9e2a (patch) | |
tree | b9303466a0f35eb88451acfa3345e61df2af4643 | |
parent | fe773bd296cd194e56fa6954cb7f0e2d4c5b1e25 (diff) |
Fix timing attack on session hash
http://seclists.org/fulldisclosure/2014/May/54
Signed-off-by: Florian Pritz <bluewind@xinu.at>
-rw-r--r-- | system/libraries/Session.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/system/libraries/Session.php b/system/libraries/Session.php index 891fdd36a..328438653 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -154,9 +154,16 @@ class CI_Session { // encryption was not used, so we need to check the md5 hash $hash = substr($session, strlen($session)-32); // get last 32 chars $session = substr($session, 0, strlen($session)-32); + $hash_check = md5($session.$this->encryption_key); + + $diff = 0; + for ($i = 0; $i < 32; $i++) + { + $diff |= ord($hash[$i]) ^ ord($hash_check[$i]); + } // Does the md5 hash match? This is to prevent manipulation of session data in userspace - if ($hash !== md5($session.$this->encryption_key)) + if ($diff !== 0) { log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.'); $this->sess_destroy(); |