I stumbled across this weird PHP bug in the crypt() implementation (version 5.3.7RC5) [1]
The bug reporter states that :

"If crypt() is executed with MD5 salts, the return value consists of the salt only."
In other words the call :
printf("MD5: %s\n", crypt('password', '$1$U7AjYB.O$'));

results in   

instead of:

What this means is that in case we store a credential in a Database and later check for the validity of a password the check will always result in TRUE (i.e correct)
$saltedpass = crypt($pw, $salt);

Here is the patch that fixed it (Note how the the strlcat to strcat change was made):http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg261500.html

For readers unaware of the concept of a cryptographic "salt", look here
[1] https://bugs.php.net/bug.php?id=55439


Post a Comment