Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Laravel cookie forgery, decryption, and RCE (mwrinfosecurity.com)
25 points by krapp on April 20, 2014 | hide | past | favorite | 12 comments


This is going to sound like empty language-war rhetoric, but: PHP might be the worst mainstream language in which to implement crypto. A crappy type system is one thing, but an unpredictable type system is much worse.


The enemy of any crypto is naïve assumption. That's not unique to PHP, but I agree, the type system can make it worse.


As usual, HN only cares about PHP when there's some FUD to spread.

This is an old bug that was made public and fixed over a year ago [0].

[0] http://www.reddit.com/r/PHP/comments/2332gq/laravel_cookie_f...


I didn't intend to spread FUD when I posted this - I wasn't aware the equality check was also fixed. I use Laravel in a lot of projects and only saw it posted elsewhere today.

re the downvotes: fair enough I guess.


Just curious but where did you see this? This was posted last week on /r/php and the Laravel creator stepped in and pointed out that it was patched awhile ago.


A php group on linkedin. Probably posted from /r/php but I haven't been there in a while.


This bug was publicly disclosed and fixed over a year ago.


Was that disclosed by MWR? It might just be delayed publication on their blog.


No, Jon Cave first disclosed it on his personal blog.


I published details of a separate issue on my personal blog (linked in the first paragraph of this article). This is delayed publication of a second set of issues.


Only sites which have error reporting enabled are vulnerable, so no need to panic unless you're displaying errors in production.


All sites were vulnerable to authenticating as other users or tampering with ciphertexts. Error reporting enables the RCE. However, I still hope that nobody is vulnerable or panicking since this was reported and fixed last year.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: