neos-development-collection icon indicating copy to clipboard operation
neos-development-collection copied to clipboard
verified publisher icon neos

BUG: Login allows check for existing usernames

Open Benjamin-K opened this issue 3 years ago • 4 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

When you try to login the response times are different if there is a user than to the response times when there is none. This leads to possible attacks on Neos CMS systems. When requesting a login for an existing username, the login is way faster than with an incorrect username. And there is a low spread of response times.

image

Expected Behavior

When trying to login the response times are almost equal no matter if the username is correct or not.

Steps To Reproduce

No response

Environment

- Flow: 7.3
- Neos: 7.3
- PHP: 8.1

Anything else?

No response

Benjamin-K avatar Oct 05 '22 12:10 Benjamin-K

This looks security-relevant to me. We might want to make this issue non-public until there is a fix?

tantegerda1 avatar Oct 05 '22 12:10 tantegerda1

True. But keep me in the loop, please :)

Benjamin-K avatar Oct 05 '22 12:10 Benjamin-K

We even had (something like9 this fixed in the past, see https://github.com/neos/flow-development-collection/pull/1495. 😬

The problem is the cost being different between the "dummy" and a "real" hashed password in the instance, due to a settings change?

kdambekalns avatar Oct 06 '22 07:10 kdambekalns

Hm, the cost of 14 was the default since this was added, see https://github.com/neos/flow-development-collection/commit/3343e597c9e70f3abb55f9d2839b45e4ed039499#diff-4360c37e41d3456986dee193b75552ea7dfa3cb03b0c4161a07fdcbe8e990f07

But looking at https://github.com/neos/flow-development-collection/pull/1495 shows that's when the cost of 16 for the dummy was added, so it was me who broke it with the fix. 🙈

kdambekalns avatar Oct 06 '22 07:10 kdambekalns