|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchespassword-as-path (last revision 2018-09-06 11:37 UTC by cmb@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-09-05 10:35 UTC] cmb@php.net
-Status: Open
+Status: Verified
[2018-09-05 10:35 UTC] cmb@php.net
[2018-09-05 20:34 UTC] leon at valkenb dot org
[2018-09-06 11:37 UTC] cmb@php.net
-Summary: Possible authentication attuck vector
+Summary: Possible authentication attack vector
[2018-09-06 11:37 UTC] cmb@php.net
[2018-09-06 11:37 UTC] cmb@php.net
[2018-12-02 05:01 UTC] stas@php.net
[2018-12-02 05:01 UTC] stas@php.net
-Summary: Possible authentication attack vector
+Summary: password_verify returns true comparing null and \0
-Type: Security
+Type: Bug
[2018-12-06 22:32 UTC] leon at valkenb dot org
[2021-10-09 13:04 UTC] divinity76 at gmail dot com
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 15:01:30 2024 UTC |
Description: ------------ password_verify() returns true when hashed null is passed and string of nulls used to verify against, password_verify() thinks all is OK. Given this is not that likely to be an issue, i have seen production databases that have gone and encrypted raw password with password_hash() and many values were null, an i was able to log into the sites knowing the email address and passing a string of nulls as the password. Test script: --------------- $check = "\0\0\0\0\0\0"; $hash = password_hash(null, PASSWORD_DEFAULT); if (empty($check)){ exit('No Password'); } if (strlen($check) < 5){ exit('Wrong Length'); } var_dump(password_verify($check, $hash)); Expected result: ---------------- bool(false) Actual result: -------------- bool(true)