|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #64449 crypt doesn't fail on "$" in CRYPT_DES salt
Submitted: 2013-03-18 22:25 UTC Modified: 2020-06-24 12:07 UTC
From: brad at bradconte dot com Assigned: nikic (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.4.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: brad at bradconte dot com
New email:
PHP Version: OS:


 [2013-03-18 22:25 UTC] brad at bradconte dot com
From manual page:

The PHP documentation states that crypt() will "return a failure" if the salt contains an invalid character. For CRYPT_DES, the character "$" (ie, dollar-sign) is not listed as a valid character. However, an input salt with the "$" character still results in valid CRYPT_DES hash output instead of a failure. The documentation and the function's behavior are inconsistent.

Note that the glibc crypt() function fails when "$" is provided, so the documentation is probably correct and it is probably the implementation that is at fault.

Note that allowing "$" for CRYPT_DES has an interesting security implication: Since other hash algorithm salt formats begin with "$", a mistake on the programmer's part in selecting the desired hash algorithm can cause a silent downgrade to the undesirable hash algorithm CRYPT_DES. Examples:

* Valid salt strings for unsupported salt algorithms may get downgraded to CRYPT_DES. For example, in PHP 5.2 (pre-CRYPT_BLOW_FISH support) the CRYPT_BLOWFISH salt string '$2a$abcdefghijklmnopqrstuv' will be silently downgraded to CRYPT_DES.

* An invalid salt string for another algorithm may get downgraded to CRYPT_DES. For example the attempted CRYPT_SHA256 string '$6 $1234567890123456789012345678901234567890123' (notice the space) will get downgraded to CRYPT_DES.

This downgrade will only be caught by the programmer comparing output format and length to the expected format. Since the documentation says CRYPT_DES will return a failure on a salt with a "$", the programmer could be led astray and not thoroughly examine the result. If crypt() failed instead, the programmer's mistake would be much more obvious.

Test script:
/* PHP 5.2 */
if (crypt('password', '$2') == crypt('password', '$2a$11$07fc1ae880d703a7a83424)
    echo "TRIPLE_DES selection";

/* PHP 5.4 */
crypt('password', '$2'); /* Outputs same as above. */

Expected result:
I expect crypt('password', '$2') to return a failure.

Actual result:
crypt('password', '$2') returns a valid hash.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-08 00:55 UTC]
-Status: Open +Status: Verified -Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2015-09-08 00:55 UTC]
That appears to be a security issue, at least in PHP 5:
 [2020-06-24 12:07 UTC]
-Status: Verified +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-06-24 12:07 UTC]
The specific examples are rejected since PHP 7, and crypt DES fallback is completely gone in PHP 8, so I'm closing this.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Jan 27 12:04:13 2023 UTC