You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Similar to #2447113, the basic auth implementation used in lib/src/extras/rpc_server.rs leverages nimiq_jsonrpc_server, which does a simplistic string comparison of passwords.
Link: https://hackerone.com/reports/2491447
Date: 2024-05-06 07:18:39 UTC
By: ryanrb
Weakness: Information Exposure Through Timing Discrepancy
Details:
Summary
Similar to #2447113, the basic auth implementation used in
lib/src/extras/rpc_server.rs
leveragesnimiq_jsonrpc_server
, which does a simplistic string comparison of passwords.Project:
core-rs-albatross
File reference:
lib/src/extras/rpc_server.rs
Line: 67
File reference: nimiq_jsonrpc_server:server/lib.rs (link)
Line: 180
Recommendation
Use a time-safe comparison when it comes to the password check to avoid leaking information.
References:
Impact
The RPC server's basic auth password could potentially be compromised via timing analysis if the check in
nimiq_jsonrpc_server
is used as-is.The text was updated successfully, but these errors were encountered: