php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55439 crypt() returns only the salt for MD5
Submitted: 2011-08-17 13:03 UTC Modified: 2011-08-22 21:28 UTC
Votes:9
Avg. Score:4.6 ± 0.8
Reproduced:8 of 8 (100.0%)
Same Version:2 (25.0%)
Same OS:4 (50.0%)
From: jo at feuersee dot de Assigned: stas
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.7RC5 OS: Linux
Private report: No CVE-ID:
 [2011-08-17 13:03 UTC] jo at feuersee dot de
Description:
------------
If crypt() is executed with MD5 salts, the return value conists of the salt only.
DES and BLOWFISH salts work as expected.

I tested with php from openSUSE PHP5 repository

> php -v
PHP 5.3.7RC6-dev (cli)
> rpm -q php5
php5-5.3.6.201108112132-94.1.x86_64

Test script:
---------------
printf("MD5: %s\n", crypt('password', '$1$U7AjYB.O$'));


Expected result:
----------------
MD5: $1$U7AjYB.O$L1N7ux7twaMIMw0En8UUR1

Actual result:
--------------
MD5: $1$U7AjYB.O

Patches

80 (last revision 2011-09-20 04:05 UTC) by michaeloses_18 at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-19 10:12 UTC] noel dot butler at ausics dot net
This is confirmed bug in stable release 5.3.7
 [2011-08-19 11:03 UTC] tomp at tomp dot co dot uk
Hi,

We have also experienced this problem with the official release of PHP 5.3.7.
 [2011-08-19 11:15 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: stas
 [2011-08-19 11:15 UTC] pajoye@php.net
stas, could you look at this issue please? It could be related to our latest 
changes there.
 [2011-08-19 21:16 UTC] jo at feuersee dot de
Verified for PHP5.3.7 
> php -v
PHP 5.3.7 (cli) 

> php -r 'printf("%s\n", crypt("password"));'
$1$p4uaO1jN

Note that only the salt is returned.

AFAIK MD5 is the default encryption type.

The big problem is that if an application stores this hashes in a database and uses them for authentication, the problem with this bug is that 
$valid = crypt($pw, $crypt);
will always be TRUE regardless of $pw

We do have a serious problem here. I suggest recalling 5.3.7 and go for a 5.3.7pl1
 [2011-08-19 21:32 UTC] jo at feuersee dot de
Uhm ok the PHP code wasn't correct but I think you get the point:
If crypt() only stores the salt then crypt($pw, $salt) will return the salt and comparing this to $pw is useless as the salt is a constant regardless of $pw.
 [2011-08-19 22:19 UTC] stas@php.net
Confirming, some very recent update broke it - right now unit tests fail on SVN. I 
wonder if nobody run it before release?
 [2011-08-19 22:49 UTC] stas@php.net
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&revision=315218
Log: Unbreak crypt() (fix bug #55439)
# If you want to remove static analyser messages, be my guest,
# but please run unit tests after
 [2011-08-19 22:50 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2011-08-19 22:50 UTC] stas@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

fixed, thanks
 [2011-08-20 01:32 UTC] noel dot butler at ausics dot net
Thanks stas, confirmed fixed in snapshot 201108200030
 [2011-08-20 08:48 UTC] info at onlime dot ch
thanks for fixing this (in my eyes) release critical bug. Are you going to release an official 5.3.7pl1 soon?
I'm not able to deploy a SVN/snapshot release on our webservers. It simply doesn't look good. Our customers rely on stable PHP releases. I would very much appreciate a pl1 release.
 [2011-08-20 09:09 UTC] pajoye@php.net
Yes, we will release 5.3.7pl1 or 5.3.8
 [2011-08-23 08:09 UTC] johannes@php.net
Automatic comment from SVN on behalf of johannes
Revision: http://svn.php.net/viewvc/?view=revision&revision=315338
Log: Merge r315218 - Unbreak crypt() (fix bug #55439) (stas)
 [2011-08-23 17:45 UTC] christoph_m at gmx dot net
Hi,
I looked at the code changes. strlcat(passwd, "$", 1); was replaced by 
strcat(passwd, "$"); In my opinion that is the same behavior as before. Both 
functions append the string "$" and add the terminating NUL-Character. 

This is my first look into the PHP-repository and this bugtracker ;)

KR
christoph
 [2011-08-23 18:44 UTC] christoph_m at gmx dot net
Ok, strlcat() includes the length for the terminating NUL-Byte. So, the bugfix 
should be ok.
 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f980905a0bff94807ea07cb897c0e4cd4e6b83f
Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after
 [2012-07-24 23:40 UTC] rasmus@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f980905a0bff94807ea07cb897c0e4cd4e6b83f
Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after
 [2013-11-17 09:36 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f980905a0bff94807ea07cb897c0e4cd4e6b83f
Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 01:01:59 2014 UTC