Laravel Sensitive Data Exposure
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 5.5.10
Details
Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.
The fix
Perform constant-time token comparison in
src/Illuminate/Auth/DatabaseUserProvider.php+1 −2
@@ -70,10 +70,9 @@ public function retrieveByToken($identifier, $token){$user = $this->conn->table($this->table)->where('id', $identifier)-->where('remember_token', $token)->first();-return $this->getGenericUser($user);+return hash_equals($user->remember_token, $token) ? $this->getGenericUser($user) : null;}/**EloquentUserProvidersrc/Illuminate/Auth/EloquentUserProvider.php | 7 +++----1 file changed, 3 insertions(+), 4 deletions(-)
src/Illuminate/Auth/EloquentUserProvider.php+3 −4
@@ -60,12 +60,11 @@ public function retrieveById($identifier)*/public function retrieveByToken($identifier, $token){-$model = $this->createModel();--return $model->newQuery()+$model = $this->createModel()->newQuery()->where($model->getAuthIdentifierName(), $identifier)-->where($model->getRememberTokenName(), $token)->first();++return $model && hash_equals($model->getRememberToken(), $token) ? $model : null;}/**src/Illuminate/Auth/DatabaseUserProvider.php | 2 +-1 file changed, 1 insertion(+), 1 deletion(-)
src/Illuminate/Auth/DatabaseUserProvider.php+1 −1
@@ -72,7 +72,7 @@ public function retrieveByToken($identifier, $token)->where('id', $identifier)->first();-return hash_equals($user->remember_token, $token) ? $this->getGenericUser($user) : null;+return $user && hash_equals($user->remember_token, $token) ? $this->getGenericUser($user) : null;}/**src/Illuminate/Auth/EloquentUserProvider.php | 2 +-1 file changed, 1 insertion(+), 1 deletion(-)
src/Illuminate/Auth/EloquentUserProvider.php+1 −1
@@ -63,7 +63,7 @@ public function retrieveByToken($identifier, $token)$model = $this->createModel()->newQuery()->where($model->getAuthIdentifierName(), $identifier)->first();-+return $model && hash_equals($model->getRememberToken(), $token) ? $model : null;}
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-14775
- WEBhttps://github.com/laravel/framework/pull/21320
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-14775.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-14775.yaml
- WEBhttps://github.com/laravel/framework/releases/tag/v5.5.10
- WEBhttps://laravel-news.com/laravel-v5-5-11