Time-Based Information Disclosure Vulnerability in Flow (Flow-SA-2016-001)

It has been discovered that Flow is vulnerable to a time-based Information disclosure vulnerability.

– Written by


Component Type: Flow
Vulnerability Type
: Information Disclosure
Severity: Low
Affected Versions: All Flow versions before 2.3.16, 3.0.10, 3.1.7, 3.2.7, 3.3.5
Release Date: November 1st, 2016
Suggested CVSS v3.0CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/CR:L/IR:L/AR:L
CVE: not assigned

Problem Description

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

Solution

Update to Flow 2.3.16, 3.0.10, 3.1.7, 3.2.7 or 3.3.5 that fix the problems described.

Credits

Thanks to Kevin Fischer and Coresec Systems who discovered the issues and to the Neos team for fixing and reviewing the fixes.