In challenge_response.module's challenge_response_authenticate(), there is the possibility of a replay attack succeeding. The 'SELECT' and 'DELETE' queries should be one atomic action in order to defend against a replay attack. If a login attempt using valid information can be replayed fast enough, it is possible that the 'SELECT' query could be executed twice, before running the 'DELETE' query.

  $query = "SELECT count(*) AS count FROM {challenge_response_challenges} WHERE challenge='$challenge'";
  $result = db_query($query);
  $count = db_fetch_array($result);
  $query = "DELETE FROM {challenge_response_challenges} WHERE challenge='$challenge'";
  db_query($query);

I don't know if there's any mutex support in Drupal, but I'm more inclined to add a function to MySQL that does the 'DELETE' automatically after each 'SELECT'.

Comments

mpd’s picture

mpd commented

Check for existing challenge and deletion of challenge is now one atomic action. Using plain old 'DELETE', since it returns True on success, and NULL on failure.

Anonymous’s picture

(not verified) commented