Miggo Logo
Miggo Vulnerability Database
CVE-2016-15015

CVE-2016-15015: Barzahlen Payment Module PHP SDK vulnerable to Observable Timing Discrepancy

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2016-15015
GHSA ID
GHSA-vg5x-6q66-rvgx
EPSS Score
0.28671%
CWE
CWE-203
Published
1/8/2023
Updated
10/20/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
barzahlen/barzahlen-phpcomposer< 2.0.12.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the insecure string comparison in the verify method of Webhook.php. The original code used '==' to compare the received signature with the computed one, which leaks timing information. The fix replaced this with a constant-time comparison via Middleware::stringsEqual, confirming the vulnerability was in the original verify function. The commit diff and CWE-208 (Timing Discrepancy) classification strongly support this conclusion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in vi**int*** **rz**l*n P*ym*nt Mo*ul* P*P S*K up to *.*.*. *****t** is t** *un*tion `v*ri*y` o* t** *il* `sr*/W***ook.p*p`. T** m*nipul*tion l***s to o*s*rv**l* timin* *is*r*p*n*y. Up*r

Reasoning

T** vuln*r**ility st*ms *rom t** ins**ur* strin* *omp*rison in t** v*ri*y m*t*o* o* W***ook.p*p. T** ori*in*l *o** us** '==' to *omp*r* t** r***iv** si*n*tur* wit* t** *omput** on*, w*i** l**ks timin* in*orm*tion. T** *ix r*pl**** t*is wit* * *onst*n