php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #64041 Example shows unsafe use of encryption
Submitted: 2013-01-21 20:48 UTC Modified: 2013-06-07 20:04 UTC
From: pawel dot krawczyk at hush dot com Assigned:
Status: Duplicate Package: Documentation problem
PHP Version: Irrelevant OS: n/a
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: pawel dot krawczyk at hush dot com
New email:
PHP Version: OS:

 

 [2013-01-21 20:48 UTC] pawel dot krawczyk at hush dot com
Description:
------------
---
From manual page: http://www.php.net/function.mcrypt-encrypt#refsect1-
function.mcrypt-encrypt-examples
---

The mcrypt_encrypt() example shows simple encryption using ECB mode and with no 
message integrity validation. This is then being copied by people in production 
applications, creating vulnerabilies. It would help a lot if the example also 
added HMAC calculation for the message. Its validation should be added to 
mcrypt_decrypt() function.

http://php.net/manual/en/function.hash-hmac.php



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-07 20:04 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2013-06-07 20:04 UTC] nikic@php.net
Has been fixed, see duplicate bug: https://bugs.php.net/bug.php?id=62453
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 05:01:30 2024 UTC