Security context
Medium· 5.9GHSA-c2v7-j5gq-wcq4 CVE-2017-14775CWE-200Published May 17, 2022

Laravel Sensitive Data Exposure

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 5.5.10

Details

Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

The fix

Perform constant-time token comparison in

Michael Cordingley· Sep 21, 2017, 01:35 AM+68576cba749f
src/Illuminate/Auth/DatabaseUserProvider.php+1 2
@@ -70,10 +70,9 @@ public function retrieveByToken($identifier, $token)
{
$user = $this->conn->table($this->table)
->where('id', $identifier)
- ->where('remember_token', $token)
->first();
- return $this->getGenericUser($user);
+ return hash_equals($user->remember_token, $token) ? $this->getGenericUser($user) : null;
}
/**
EloquentUserProvider
src/Illuminate/Auth/EloquentUserProvider.php | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
src/Illuminate/Auth/EloquentUserProvider.php+3 4
@@ -60,12 +60,11 @@ public function retrieveById($identifier)
*/
public function retrieveByToken($identifier, $token)
{
- $model = $this->createModel();
-
- return $model->newQuery()
+ $model = $this->createModel()->newQuery()
->where($model->getAuthIdentifierName(), $identifier)
- ->where($model->getRememberTokenName(), $token)
->first();
+
+ return $model && hash_equals($model->getRememberToken(), $token) ? $model : null;
}
/**
src/Illuminate/Auth/DatabaseUserProvider.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
src/Illuminate/Auth/DatabaseUserProvider.php+1 1
@@ -72,7 +72,7 @@ public function retrieveByToken($identifier, $token)
->where('id', $identifier)
->first();
- return hash_equals($user->remember_token, $token) ? $this->getGenericUser($user) : null;
+ return $user && hash_equals($user->remember_token, $token) ? $this->getGenericUser($user) : null;
}
/**
src/Illuminate/Auth/EloquentUserProvider.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
src/Illuminate/Auth/EloquentUserProvider.php+1 1
@@ -63,7 +63,7 @@ public function retrieveByToken($identifier, $token)
$model = $this->createModel()->newQuery()
->where($model->getAuthIdentifierName(), $identifier)
->first();
-
+
return $model && hash_equals($model->getRememberToken(), $token) ? $model : null;
}

References