Place Your Ad Here

Solved \XF\Util\Random::getRandomString() seems suspectible to timing attacks

This topic has been solved
K

Kirby

Guest
\XF\Util\Random::getRandomString() generates a cryptographically secure random value (by calling \XF\Util\Random::getRandomBytes()) but then calls base64_encode to generate a string from those bytes.

AFAIK, base64_encode is not constant time so could be vulnerable to timing attacks.

It might therefore be better to use sodium_bin2base64 instead (if available) or fallback to bundled ParagonIE_Sodium_Core_Base64_UrlSafe if not.

Continue reading...
 
You must log in or register to reply here.

Similar threads

K
Bug \XF\Util\Random::getRandomString() seems suspectible to timing attacks
Replies
0
Views
145
XenForo General Discussions
Kirby
K
D
Bug Wrong return hint for \XF\Util\Ip::checkIpsAgainstBinaryRangeList
Replies
0
Views
45
XenForo General Discussions
DragonByte Tech
D
J
XenForo [E_WARNING] mkdir(): Permission denied in src/XF/Util/File.php at line 281
Replies
0
Views
237
XenForo Development & Modifications
Jean-Baptiste
J
X
Solved Race condition in XF\Util\File::createTempDir
Replies
0
Views
225
XenForo General Discussions
Xon
X
V
Solved \XF\Util\File::copyFileToAbstractedPath causes failure in PHP8.0+ with S3-Compatable Storages
Replies
0
Views
236
XenForo General Discussions
VersoBit
V
Top Bottom
Back