PT-2026-53181 · Packagist · Spomky-Labs/Otphp
Publicado
2026-06-18
·
Atualizado
2026-06-18
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Summary
The
digits parameter parsed from a provisioning URI is validated only with a lower bound ($value > 0) and has no upper bound (src/OTP.php:353-357). OTP generation computes $code % (10 ** $this->getDigits()) (src/OTP.php:283). When digits is large enough that 10 ** digits overflows PHP's integer range and the (int) cast yields 0 (around digits >= 40 on 64-bit PHP 8.x), the modulo operand becomes 0 and PHP raises a DivisionByZeroError.Impact
OTPHPFactory::loadFromProvisioningUri() forwards the attacker-controlled digits query value to setParameter('digits', $value), so a hostile URI such as otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&digits=50 produces an OTP object whose at(), now(), and verify() all throw DivisionByZeroError. Because DivisionByZeroError extends Error (not Exception), callers that guard OTP generation with a catch (Exception) do not catch it, turning a malformed URI into an unhandled fatal error (denial of service of the verification path).Measured threshold on PHP 8.3:
digits = 30 works, digits >= 40 throws DivisionByZeroError: Modulo by zero.Affected component
src/OTP.php:353-357—digitsparameter callback (no upper bound)src/OTP.php:283—$code % (10 ** $this->getDigits())
Proof of concept
php
use OTPHPFactory;
use OTPHPInternalClock;
$otp = Factory::loadFromProvisioningUri(
'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&digits=50',
new InternalClock()
);
$otp->at(0); // DivisionByZeroError: Modulo by zero (escapes catch (Exception))Remediation
Enforce a sane upper bound on
digits in the parameter validation callback (e.g. reject values above 8–10, the practical range for OTPs) so that an out-of-range value is rejected with a documented exception instead of producing an object that fails later with an uncatchable Error.Correção
Divide By Zero
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Spomky-Labs/Otphp