php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76842 password_verify returns true comparing null and \0
Submitted: 2018-09-05 00:19 UTC Modified: 2018-12-06 22:32 UTC
From: leon at valkenb dot org Assigned:
Status: Verified Package: *Encryption and hash functions
PHP Version: 7.1.21 OS: Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: leon at valkenb dot org
New email:
PHP Version: OS:

 

 [2018-09-05 00:19 UTC] leon at valkenb dot org
Description:
------------
password_verify() returns true when hashed null is passed and string of nulls used to verify against, password_verify() thinks all is OK.

Given this is not that likely to be an issue, i have seen production databases that have gone and encrypted raw password with password_hash() and many values were null, an i was able to log into the sites knowing the email address and passing a string of nulls as the password.

Test script:
---------------
$check = "\0\0\0\0\0\0";

$hash = password_hash(null, PASSWORD_DEFAULT);

if (empty($check)){
	exit('No Password');
}

if (strlen($check) < 5){
	exit('Wrong Length');
}

var_dump(password_verify($check, $hash));

Expected result:
----------------
bool(false)

Actual result:
--------------
bool(true)

Patches

password-as-path (last revision 2018-09-06 11:37 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-05 10:35 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-09-05 10:35 UTC] cmb@php.net
This might be related to bug #74473.
 [2018-09-05 20:34 UTC] leon at valkenb dot org
Is there any way i can see ug #74473 as its marked private?
 [2018-09-06 11:37 UTC] cmb@php.net
-Summary: Possible authentication attuck vector +Summary: Possible authentication attack vector
 [2018-09-06 11:37 UTC] cmb@php.net
> Is there any way i can see ug #74473 as its marked private?

No, sorry.  Security reports are private to the reporter, and to
those with sec karma.

Anyhow, on a closer look I'm not sure this is really a bug at all.
password_hash()ing NULL is equivalent to password_hash()ing an
empty string, and this should be checked and prohibited in the
first place in userland (“password too short”).  I consider it
unlikely that a user would circumvent this check by passing a
string of NULs.

Nonetheless, the password API should probably check for NUL bytes
in given passwords to prohibit such misuse.
 [2018-09-06 11:37 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: password-as-path
Revision:   1536233879
URL:        https://bugs.php.net/patch-display.php?bug=76842&patch=password-as-path&revision=1536233879
 [2018-12-02 05:01 UTC] stas@php.net
Doesn't seem to be likely scenario to have null as valid password.
 [2018-12-02 05:01 UTC] stas@php.net
-Summary: Possible authentication attack vector +Summary: password_verify returns true comparing null and \0 -Type: Security +Type: Bug
 [2018-12-06 22:32 UTC] leon at valkenb dot org
....
Given this is not that likely to be an issue, i have seen production databases that have gone and encrypted raw password with password_hash() and many values were null, an i was able to log into the sites knowing the email address and passing a string of nulls as the password.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Dec 11 23:01:25 2018 UTC