Go Back   Coding Forum > Coding World > PHP

Reply
 
LinkBack Thread Tools Display Modes
Old 05-10-2015, 07:30 PM   #1 (permalink)
user1
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, ResearcherSays

PHP Hash Comparison Weakness A Threat To Websites, Researcher Says

"Flaw could allow attackers to compromise user accounts, WhiteHat
Security's Robert Hansen -- aka 'RSnake' -- says in new finding on
'Magic Hash' vulnerability. "

URL:
http://www.darkreading.com/vulnerabi...d/d-id/1320353
  Reply With Quote
Old 05-10-2015, 10:30 PM   #2 (permalink)
Jerry Stuckle
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, ResearcherSays

On 5/10/2015 3:29 PM, user1 wrote:
> PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
>
> "Flaw could allow attackers to compromise user accounts, WhiteHat
> Security's Robert Hansen -- aka 'RSnake' -- says in new finding on
> 'Magic Hash' vulnerability. "
>
> URL:
> http://www.darkreading.com/vulnerabi...d/d-id/1320353
>


Which is not a problem with using proper coding techniques.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex@attglobal.net
==================
  Reply With Quote
Old 05-10-2015, 10:30 PM   #3 (permalink)
user1
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, ResearcherSays

On 10/05/2015 22:55, Jerry Stuckle wrote:
> On 5/10/2015 3:29 PM, user1 wrote:
> > PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
> >
> > "Flaw could allow attackers to compromise user accounts, WhiteHat
> > Security's Robert Hansen -- aka 'RSnake' -- says in new finding on
> > 'Magic Hash' vulnerability. "
> >
> > URL:
> > http://www.darkreading.com/vulnerabi...d/d-id/1320353
> >

>
> Which is not a problem with using proper coding techniques.


Indeed, a fair point good sir.

Hopefully everyone knows about using proper coding techniques.

But just in-case some don't, or are still at a learning stage- perhaps
you could recommend a good website as a source of information on proper
coding techniques?
(For PHP specifically or more broadly.)

Thanks
  Reply With Quote
Old 05-10-2015, 11:30 PM   #4 (permalink)
Jerry Stuckle
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, ResearcherSays

On 5/10/2015 6:23 PM, user1 wrote:
> On 10/05/2015 22:55, Jerry Stuckle wrote:
>> On 5/10/2015 3:29 PM, user1 wrote:
>> > PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
>> >
>> > "Flaw could allow attackers to compromise user accounts, WhiteHat
>> > Security's Robert Hansen -- aka 'RSnake' -- says in new finding on
>> > 'Magic Hash' vulnerability. "
>> >
>> > URL:
>> >

>> http://www.darkreading.com/vulnerabi...d/d-id/1320353
>>
>> >

>>
>> Which is not a problem with using proper coding techniques.

>
> Indeed, a fair point good sir.
>
> Hopefully everyone knows about using proper coding techniques.
>
> But just in-case some don't, or are still at a learning stage- perhaps
> you could recommend a good website as a source of information on proper
> coding techniques?
> (For PHP specifically or more broadly.)
>
> Thanks


Proper coding techniques is a huge subject - and one you won't find on a
website - at least not a free one. It's too much and takes a lot of
experience and training.

There may be some good books on it - I know there were several years
ago, but I haven't checked recently. There may also be some paid
courses on the internet, but I've never checked them out.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex@attglobal.net
==================
  Reply With Quote
Old 05-11-2015, 08:30 PM   #5 (permalink)
Jim Higgins
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, Researcher Says

On Sun, 10 May 2015 23:23:31 +0100, in
<L7KdnUdJy934R9LInZ2dnUU78T-dnZ2d@giganews.com>, user1
<none@none.invalid> wrote:

>On 10/05/2015 22:55, Jerry Stuckle wrote:
>> On 5/10/2015 3:29 PM, user1 wrote:
>> > PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
>> >
>> > "Flaw could allow attackers to compromise user accounts, WhiteHat
>> > Security's Robert Hansen -- aka 'RSnake' -- says in new finding on
>> > 'Magic Hash' vulnerability. "
>> >
>> > URL:
>> > http://www.darkreading.com/vulnerabi...d/d-id/1320353
>> >

>>
>> Which is not a problem with using proper coding techniques.

>
>Indeed, a fair point good sir.
>
>Hopefully everyone knows about using proper coding techniques.
>
>But just in-case some don't, or are still at a learning stage- perhaps
>you could recommend a good website as a source of information on proper
>coding techniques?


The article seems to give you the proper technique to overcome this
issue. Just read it to the very end end.
  Reply With Quote
Old 05-11-2015, 09:30 PM   #6 (permalink)
Christoph M. Becker
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, ResearcherSays

Jim Higgins wrote:

> On Sun, 10 May 2015 23:23:31 +0100, in
> <L7KdnUdJy934R9LInZ2dnUU78T-dnZ2d@giganews.com>, user1
> <none@none.invalid> wrote:
>
>> On 10/05/2015 22:55, Jerry Stuckle wrote:
>>> On 5/10/2015 3:29 PM, user1 wrote:
>>>> PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
>>>>
>>>> "Flaw could allow attackers to compromise user accounts, WhiteHat
>>>> Security's Robert Hansen -- aka 'RSnake' -- says in new finding on
>>>> 'Magic Hash' vulnerability. "
>>>>
>>>> URL:
>>>> http://www.darkreading.com/vulnerabi...d/d-id/1320353
>>>
>>> Which is not a problem with using proper coding techniques.

>>
>> Indeed, a fair point good sir.
>>
>> Hopefully everyone knows about using proper coding techniques.
>>
>> But just in-case some don't, or are still at a learning stage- perhaps
>> you could recommend a good website as a source of information on proper
>> coding techniques?

>
> The article seems to give you the proper technique to overcome this
> issue. Just read it to the very end end.


Indeed, using === resp. !== would help to solve this issue, but it still
wouldn't secure against potential timing attacks. Therefore one should
use hash_equals() or a respective userland implementation for PHP
versions before 5.6.0, or maybe preferably the password hashing
functions[1] introduced in PHP 5.5.0 (or a respective fallback).

[1] <http://php.net/manual/en/ref.password.php>

--
Christoph M. Becker

  Reply With Quote
Old 05-11-2015, 10:30 PM   #7 (permalink)
user1
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, ResearcherSays

On 10/05/2015 23:46, Jerry Stuckle wrote:
> On 5/10/2015 6:23 PM, user1 wrote:
> > On 10/05/2015 22:55, Jerry Stuckle wrote:
> >> On 5/10/2015 3:29 PM, user1 wrote:
> >> > PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
> >> >
> >> > "Flaw could allow attackers to compromise user accounts, WhiteHat
> >> > Security's Robert Hansen -- aka 'RSnake' -- says in new finding on
> >> > 'Magic Hash' vulnerability. "
> >> >
> >> > URL:
> >> >
> >> http://www.darkreading.com/vulnerabi...d/d-id/1320353
> >>
> >> >
> >>
> >> Which is not a problem with using proper coding techniques.

> >
> > Indeed, a fair point good sir.
> >
> > Hopefully everyone knows about using proper coding techniques.
> >
> > But just in-case some don't, or are still at a learning stage- perhaps
> > you could recommend a good website as a source of information on proper
> > coding techniques?
> > (For PHP specifically or more broadly.)
> >
> > Thanks

>
> Proper coding techniques is a huge subject - and one you won't find on a
> website - at least not a free one. It's too much and takes a lot of
> experience and training.
>
> There may be some good books on it - I know there were several years
> ago, but I haven't checked recently. There may also be some paid
> courses on the internet, but I've never checked them out.
>


Just in-case it is of any use to anyone following this thread, I found
these sites/pages as a starting point for PHP proper coding techniques -
just in case they are of interest to any PHP beginners following this
thread.

- PHP and HTML ( of course )
http://us3.php.net/manual/en/faq.html.php

- PHP: The Right Way.
http://www.phptherightway.com/

- Best coding practices
http://en.wikipedia.org/wiki/Best_coding_practices

- 30+ PHP Best Practices for Beginners
http://code.tutsplus.com/tutorials/3...ners--net-6194

Disclaimer: I'm not saying these are all excellent, but here is
something as-opposed-to-nothing, for what it might be worth; to somebody
who has the appropriate beginner-status and sincere interest in learning
more.

I had a quick look at the PHP documentation for this first time in a
while. I had somewhat forgotten how informative it can be.
( http://php.net/docs.php )

Thanks for your time.




  Reply With Quote
Old 05-11-2015, 10:30 PM   #8 (permalink)
user1
Guest
 
Posts: n/a
Default Article: PHP Hash Comparison Weakness A Threat To Websites, ResearcherSays

On 11/05/2015 22:06, Christoph M. Becker wrote:
> Indeed, using === resp. !== would help to solve this issue, but it still
> wouldn't secure against potential timing attacks. Therefore one should
> use hash_equals() or a respective userland implementation for PHP
> versions before 5.6.0, or maybe preferably the password hashing
> functions[1] introduced in PHP 5.5.0 (or a respective fallback).
>
> [1] <http://php.net/manual/en/ref.password.php>
>


Good reading - I am grateful for the pointer, thank-you.
  Reply With Quote
Reply

Thread Tools
Display Modes



All times are GMT. The time now is 09:46 AM.


Powered by vBulletin® Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright 2010, CodingForum.Org