[3.x] Fix bug where special characters can be used when generating throttle key #216
Conversation
|
So, there is no way to handle this at the MySQL configuration level to disable this behavior of turning special characters into "normal" characters? |
|
MYSQL will translate special characters back to normal characters automatically. So if I try to login as ⓣⓔⓢⓣ@ⓛⓐⓡⓐⓥⓔⓛ.ⓒⓞⓜ, once I reach the database, the special characters are read as normal characters, no matter if the field data is using special characters or not. Both versions equal the same. However, when you're checking the number of requests in the throttle. PHP sees the special character key I've generated differently from the alphanumeric key. Resetting the throttle requests. That means an attacker can automate a brute force attempted by simply replacing a single letter with its special character counterpart after a certain number of attempts, bypassing the minute lockdown. |
|
This character conversion can be done via https://github.com/voku/portable-ascii php package (already present in framework core) use voku\helper\ASCII;
ASCII::to_transliterate("ⓐ"); // a
ASCII::to_transliterate("⓴"); // 20I would suggest to introduce a helper in core like @liamh101 Thought? |
|
@ankurk91 @taylorotwell I'm happy to investigate/add this in. I'm not particularly proud of my current implementation as it's a bit messy, so this would be a good refinement. I suggest we keep this in for now though for security reasons. |
|
PR to core change: laravel/framework#40681 |
|
I assume this attack vector also applies to Fortify? Specifically the protected function throttleKey(Request $request)
{
return Str::lower($request->input(Fortify::username())).'|'.$request->ip();
} |
|
The |
|
The |
|
Laravel UI package need to bump framework version in composer.json and can start using the |
|
Done that here: #219 |
…rottle key (#216) * Fix bug where special characters can be used when generating throttle keys * Update ThrottlesLogins.php * Update ThrottlesLogins.php Co-authored-by: Liam Hackett <liamh@DESKTOP-RS5AQ35.localdomain> Co-authored-by: Taylor Otwell <taylor@laravel.com>
Bugfix for Issue I reported earlier in the week.
It was possible to bypass login throttle by replacing alphanumeric characters with their special character equivalent.
This fix replaces them after the username has been translated into lowercase.
This will not affect usernames that don't email due to the fact that on a database level, special characters and their alphanumeric equivalent are seen as the same thing.