I stumbled across this weird PHP bug in the crypt() implementation (version 5.3.7RC5) [1]
The bug reporter states that :
results in
instead of:
What this means is that in case we store a credential in a Database and later check for the validity of a password the check will always result in TRUE (i.e correct)
Here is the patch that fixed it (Note how the the strlcat to strcat change was made):http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg261500.html
For readers unaware of the concept of a cryptographic "salt", look here
[1] https://bugs.php.net/bug.php?id=55439
The bug reporter states that :
"If crypt() is executed with MD5 salts, the return value consists of the salt only."In other words the call :
printf("MD5: %s\n", crypt('password', '$1$U7AjYB.O$'));
results in
$1$U7AjYB.O
instead of:
$1$U7AjYB.O$L1N7ux7twaMIMw0En8UUR1
What this means is that in case we store a credential in a Database and later check for the validity of a password the check will always result in TRUE (i.e correct)
$saltedpass = crypt($pw, $salt);
Here is the patch that fixed it (Note how the the strlcat to strcat change was made):http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg261500.html
For readers unaware of the concept of a cryptographic "salt", look here
[1] https://bugs.php.net/bug.php?id=55439
No comments:
Post a Comment