silverstripe/framework users inadvertently passing sensitive data to LoginAttempt
All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.
In order to address this a one-way hash is applied to the Email field before being stored.
| Software | From | Fixed in |
|---|---|---|
silverstripe / framework
|
3.5.0-rc1 | 3.5.6 |
|
silverstripe / framework
|
3.6.0-rc1 | 3.6.3 |
|
silverstripe / framework
|
4.0.0-rc1 | 4.0.1 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-009-1.yaml
- https://github.com/silverstripe/silverstripe-framework/commit/3e2bcaa0b49277ff7f7004b265a7fa80d0b92e5c
- https://github.com/silverstripe/silverstripe-framework/commit/c5d6eb816d4ac5e9fa3d8bc4bd82de95719eb22d
- https://github.com/silverstripe/silverstripe-framework/commit/f1dd3d6f03eb1d94c29c495994a1da9176a758d9
- https://www.silverstripe.org/download/security-releases/ss-2017-009
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime