[M-8] Attempt-counter TOCTOU on verify-email / reset-password

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AuthController.php:477-488, 654

Bug: Count check and increment are separate statements; races allow extra attempts.

Fix: Single atomic UPDATE ... WHERE attempts < :max + rowcount check.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:49pm

Resolved.

Both handleVerifyEmail and handleResetPassword now use an atomic counter bump in SQL (src/Controllers/AuthController.php):

UPDATE verification_codes SET attempts = attempts + 1
 WHERE id = :id AND attempts < :max AND consumed = 0

The controller checks rowCount() !== 1 and treats it as a rejection. Two parallel requests can no longer both read attempts = max - 1, both pass the PHP-side guard, and both proceed to password_verify. The DB enforces the budget.

Locking this thread.

Related Discussions

[H-2] TOCTOU on approve/reject — unlink can race DB update
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy