

Laravel cookie forgery, decryption, and RCE - krapp
https://labs.mwrinfosecurity.com/blog/2014/04/11/laravel-cookie-forgery-decryption-and-rce/

======
tptacek
This is going to sound like empty language-war rhetoric, but: PHP might be the
worst mainstream language in which to implement crypto. A crappy type system
is one thing, but an unpredictable type system is much worse.

~~~
eksith
The enemy of any crypto is naïve assumption. That's not unique to PHP, but I
agree, the type system can make it worse.

------
adamors
As usual, HN only cares about PHP when there's some FUD to spread.

This is an old bug that was made public and fixed over a year ago [0].

[0]
[http://www.reddit.com/r/PHP/comments/2332gq/laravel_cookie_f...](http://www.reddit.com/r/PHP/comments/2332gq/laravel_cookie_forgery_decryption_and_rce/cgsysne)

~~~
krapp
I didn't intend to spread FUD when I posted this - I wasn't aware the equality
check was also fixed. I use Laravel in a lot of projects and only saw it
posted elsewhere today.

re the downvotes: fair enough I guess.

~~~
ianhawes
Just curious but where did you see this? This was posted last week on /r/php
and the Laravel creator stepped in and pointed out that it was patched awhile
ago.

~~~
krapp
A php group on linkedin. Probably posted from /r/php but I haven't been there
in a while.

------
laravel
This bug was publicly disclosed and fixed over a year ago.

~~~
danpalmer
Was that disclosed _by MWR_? It might just be delayed publication on their
blog.

~~~
laravel
No, Jon Cave first disclosed it on his personal blog.

~~~
iWKtMK
I published details of a separate issue on my personal blog (linked in the
first paragraph of this article). This is delayed publication of a second set
of issues.

------
cbg0
Only sites which have error reporting enabled are vulnerable, so no need to
panic unless you're displaying errors in production.

~~~
iWKtMK
All sites were vulnerable to authenticating as other users or tampering with
ciphertexts. Error reporting enables the RCE. However, I still hope that
nobody is vulnerable or panicking since this was reported and fixed last year.

