Edit report at https://bugs.php.net/bug.php?id=55439&edit=1
ID: 55439 Comment by: noel dot butler at ausics dot net Reported by: jo at feuersee dot de Summary: crypt() returns only the salt for MD5 Status: Closed Type: Bug Package: *Encryption and hash functions Operating System: Linux PHP Version: 5.3.7RC5 Assigned To: stas Block user comment: N Private report: N New Comment: Thanks stas, confirmed fixed in snapshot 201108200030 Previous Comments: ------------------------------------------------------------------------ [2011-08-19 22:50:07] s...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. fixed, thanks ------------------------------------------------------------------------ [2011-08-19 22:49:11] s...@php.net Automatic comment from SVN on behalf of stas Revision: http://svn.php.net/viewvc/?view=revision&revision=315218 Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after ------------------------------------------------------------------------ [2011-08-19 22:19:40] s...@php.net Confirming, some very recent update broke it - right now unit tests fail on SVN. I wonder if nobody run it before release? ------------------------------------------------------------------------ [2011-08-19 21:32:01] jo at feuersee dot de Uhm ok the PHP code wasn't correct but I think you get the point: If crypt() only stores the salt then crypt($pw, $salt) will return the salt and comparing this to $pw is useless as the salt is a constant regardless of $pw. ------------------------------------------------------------------------ [2011-08-19 21:16:03] jo at feuersee dot de Verified for PHP5.3.7 > php -v PHP 5.3.7 (cli) > php -r 'printf("%s\n", crypt("password"));' $1$p4uaO1jN Note that only the salt is returned. AFAIK MD5 is the default encryption type. The big problem is that if an application stores this hashes in a database and uses them for authentication, the problem with this bug is that $valid = crypt($pw, $crypt); will always be TRUE regardless of $pw We do have a serious problem here. I suggest recalling 5.3.7 and go for a 5.3.7pl1 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=55439 -- Edit this bug report at https://bugs.php.net/bug.php?id=55439&edit=1