Use of a Broken or Risky Cryptographic Algorithm in anonaddy/anonaddy
Reported on
Oct 5th 2021
Description
MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesses in both algorithms. Consequently, MD5 and SHA-1 should no longer be relied upon to verify the authenticity of data in security-critical contexts.
Proof of Concept
<?php
namespace Tests\Feature;
use App\Models\AdditionalUsername; use App\Models\DeletedUsername; use App\Models\Recipient; use App\Models\User; use Illuminate\Auth\Notifications\VerifyEmail; use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Support\Carbon; use Illuminate\Support\Facades\Config; use Illuminate\Support\Facades\Notification; use Illuminate\Support\Facades\URL; use Tests\TestCase;
class RegistrationTest extends TestCase { use RefreshDatabase;
/** @test */
public function user_can_register_successfully()
{
Notification::fake();
$response = $this->post('/register', [
'username' => 'johndoe',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response
->assertRedirect('/')
->assertSessionHasNoErrors();
$this->assertDatabaseHas('users', [
'username' => 'johndoe'
]);
$user = User::where('username', 'johndoe')->first();
Notification::assertSentTo(
$user,
VerifyEmail::class
);
}
/** @test */
public function user_cannot_register_with_invalid_characters()
{
$response = $this->post('/register', [
'username' => 'Ω',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
$this->assertDatabaseMissing('users', [
'username' => 'Ω'
]);
}
/** @test */
public function user_can_verify_email_successfully()
{
$user = User::factory()->create();
$user->email_verified_at = null;
$user->save();
$this->assertNull($user->refresh()->email_verified_at);
$verificationUrl = URL::temporarySignedRoute(
'verification.verify',
Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),
[
'id' => $user->getKey(),
'hash' => sha1($user->getEmailForVerification()),
]
);
$response = $this->actingAs($user)->get($verificationUrl);
$response
->assertRedirect('/')
->assertSessionHas('verified');
$this->assertNotNull($user->refresh()->email_verified_at);
}
/** @test */
public function user_must_use_valid_username()
{
$response = $this->post('/register', [
'username' => 'john_doe',
'email' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
$this->assertDatabaseMissing('users', [
'username' => 'john_doe'
]);
}
/** @test */
public function user_must_confirm_email()
{
$response = $this->post('/register', [
'username' => 'johndoe',
'email' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['email']);
$this->assertDatabaseMissing('users', [
'username' => 'johndoe'
]);
}
/** @test */
public function user_cannot_register_with_existing_email()
{
$user = User::factory()->create(['username' => 'johndoe']);
Recipient::factory()->create([
'user_id' => $user->id,
'email' => 'johndoe@example.com'
]);
$response = $this->post('/register', [
'username' => 'johndoe',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['email']);
}
/** @test */
public function user_cannot_register_with_existing_username()
{
User::factory()->create(['username' => 'johndoe']);
$response = $this->post('/register', [
'username' => 'johndoe',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
}
/** @test */
public function user_cannot_register_with_existing_additional_username()
{
AdditionalUsername::factory()->create(['username' => 'johndoe']);
$response = $this->post('/register', [
'username' => 'johndoe',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
}
/** @test */
public function user_cannot_register_with_blacklisted_username()
{
$response = $this->post('/register', [
'username' => 'www',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
$this->assertDatabaseMissing('users', [
'username' => 'www'
]);
}
/** @test */
public function user_cannot_register_with_uppercase_blacklisted_username()
{
$response = $this->post('/register', [
'username' => 'Www',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
$this->assertDatabaseMissing('users', [
'username' => 'www'
]);
}
/** @test */
public function user_cannot_register_with_deleted_username()
{
DeletedUsername::create(['username' => 'johndoe']);
$response = $this->post('/register', [
'username' => 'johndoe',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
$this->assertDatabaseMissing('users', [
'username' => 'johndoe'
]);
}
/** @test */
public function user_cannot_register_with_uppercase_deleted_username()
{
DeletedUsername::create(['username' => 'johndoe']);
$response = $this->post('/register', [
'username' => 'joHndoe',
'email' => 'johndoe@example.com',
'email_confirmation' => 'johndoe@example.com',
'password' => 'mypassword',
'terms' => true,
]);
$response->assertSessionHasErrors(['username']);
$this->assertDatabaseMissing('users', [
'username' => 'johndoe'
]);
}
}
Impact
Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts.
Hi there,
Thanks for the report!
This same code is also used in Laravel's official repository - https://github.com/laravel/framework/blob/8.x/src/Illuminate/Auth/Notifications/VerifyEmail.php#L88
Since the sha1 hash algorithm is not being used for passwords but simply for a private temporary signed URL (that is only sent to the user), I do not think this is a security issue.
Hi buddy Thanks for reaching out. Use of SHA1 itself a security issue and it is vulnerable to hash collisions and other attacks.
Check the below link: https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-unsafe.html
Upgrading from SHA1 to SHA256 wont be a big challenge.
I've just pushed a new release that updates the hashing algorithm from SHA1 to Bcrypt - https://github.com/anonaddy/anonaddy/releases/tag/v0.8.5
Thanks again.
Hey buddy, Can you please change the status of this report to fixed and it will be great if you can award me some disclosure bounty :) @Ziding Zhang can you please help us out in this :)
It would be great if you can assign a CVE-ID for this. Cheers :)
Hi @maintainer Please confirm if we can start the process for the CVE ID.