ID: 45430 Updated by: [EMAIL PROTECTED] Reported By: alex at all-dynamics dot de Status: Critical Bug Type: *Encryption and hash functions Operating System: Win32 PHP Version: 5.2.6 -Assigned To: +Assigned To: pajoye New Comment:
Taking the hand on it for the windows part. As part of the win32 improvement effort, I already wrote a patch to drop our win32's md5_crypt implementation and add support for other algorithms (just like crypt_r + DES). Previous Comments: ------------------------------------------------------------------------ [2008-07-15 02:28:46] [EMAIL PROTECTED] See also: http://blog.php-security.org/archives/82-Suhosin-0.9.20-and-crypt-Thread-Safety-Vulnerability.html ------------------------------------------------------------------------ [2008-07-04 08:50:38] alex at all-dynamics dot de Description: ------------ crypt () seems not to be thread-safe when using a threaded webserver (Windows, ISAPI). Maybe this has something to do with win32/md5crypt.c / md5_crypt: static char passwd[120] (static buffer which is returned to the calling function). Reproduce code: --------------- Run this code with two or more simultaneous requests on a threaded server: set_time_limit (0); $passwd1 = "testtesttest"; $passwd2 = "passwordpassword"; for ($i = 0; $i < 3000; $i++) { $crypted = crypt ($passwd1); if ($crypted != crypt ($passwd1, $crypted)) die ("no match"); $crypted = crypt ($passwd2); if ($crypted != crypt ($passwd2, $crypted)) die ("no match"); } echo "ok"; Expected result: ---------------- "ok" on all requests Actual result: -------------- one request may end with "no match", the other request will display "ok" ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=45430&edit=1