[TYPO3-core] RFC: #10201: Duplicate cHash Values

Dan Osipov dosipov at phillyburbs.com
Wed Aug 26 16:30:57 CEST 2009


I'm not an encryption expert either, but I think to recalculate the 
encryption key given the cHash and get params would require a brute 
force method.

Dan Osipov
Calkins Media
http://danosipov.com/blog/

Oliver Hader wrote:
> Hi Francois,
> 
> Francois Suter schrieb:
>> So Dmitry says that the new version of RealURL is ready for testing and
>> could be released within a reasonable time frame if no major bugs are
>> found.
>>
>> I would like to know if it seems ok to (most of) you if we just indicate
>> somewhere (like in core, dev, english and perhaps other mailing lists;
>> and maybe also in the core blog or something) that the SVN version of
>> RealURL is necessary in order to work with the dev versions of 4.3,
>> knowing that an official release will take place in time for 4.3-final.
>>
>> How does that sound? I would quite like to have opinions from other core
>> team members and Olly in particular (as the RM for 4.3).
> 
> In general that sounds good to me. However, I'd like to request a
> feedback from the crawler guys first since it seems that there could be
> problems as well with a long cHash.
> 
> Another problem are indexed links in Google for example - maybe we
> should think about a fallback option to support old cHashes as well. It
> could be handy when upgrading a website from 4.2 to 4.3 for example.
> 
> Scenario:
> "old URL": Events.101.0.html?&cHash=3847153e37&tx_ext_pi1[uid]=1
> "new URL":
> Events.101.0.html?&cHash=3847153e37098f6bcd4621d373cade4e&tx_ext_pi1[uid]=1
> 
> And another thing that comes into my mind is the possiblity to
> recalculate the encryption key out of the cHash. I'm not an expert in
> mathematical hashing methods...
> 
> Scenario:
> 1) recalulate a possible encryption key out of a full MD5 cHash (GET
> arguments are given)
> 2) use the possible encryption key(s) to generate the juHash for a
> jumpurl attack
> 
> Maybe someone from the security team could give an advise on that.
> Thanks in advance!
> 
> olly


More information about the TYPO3-team-core mailing list