[TYPO3-core] RFC: #10201: Duplicate cHash Values
Marcus Krause
marcus#exp2009 at t3sec.info
Mon Sep 7 21:11:24 CEST 2009
Francois Suter schrieb:
> Hi,
>
>> +1 by reading and testing. Now it should be ready for trunk!
>
> It should, but Michael wanted to have the security team's opinion on
> this to answer some security concerns that were raised earlier. I guess
> he didn't have time to do it, so I have just done it.
I'm speaking for myself only.
The concerns are about the same problems like in showpic that have been
discussed recently in #11721.
Regarding full md5 hashes for cHash, there's (currently) no way to get
hold of the encryption key. Basis for it would be successful preimage
attacks for md5 (although it's not classical preimage problem). Such
attacks are not known to be succeeded for md5 (yet).
Marcus.
More information about the TYPO3-team-core
mailing list