summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2014-05-13 11:06:46 +0200
committerFlorian Pritz <bluewind@xinu.at>2014-05-13 11:06:46 +0200
commit110b467503f7a749aec685be445468c0f98b9e2a (patch)
treeb9303466a0f35eb88451acfa3345e61df2af4643 /system
parentfe773bd296cd194e56fa6954cb7f0e2d4c5b1e25 (diff)
Fix timing attack on session hash
http://seclists.org/fulldisclosure/2014/May/54 Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'system')
-rw-r--r--system/libraries/Session.php9
1 files changed, 8 insertions, 1 deletions
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 891fdd36a..328438653 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -154,9 +154,16 @@ class CI_Session {
// encryption was not used, so we need to check the md5 hash
$hash = substr($session, strlen($session)-32); // get last 32 chars
$session = substr($session, 0, strlen($session)-32);
+ $hash_check = md5($session.$this->encryption_key);
+
+ $diff = 0;
+ for ($i = 0; $i < 32; $i++)
+ {
+ $diff |= ord($hash[$i]) ^ ord($hash_check[$i]);
+ }
// Does the md5 hash match? This is to prevent manipulation of session data in userspace
- if ($hash !== md5($session.$this->encryption_key))
+ if ($diff !== 0)
{
log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
$this->sess_destroy();