Serious security issue in PHP 5.3.7 forces developers to advise against upgrade

PHP's latest 5.3.7 release looks like it's going to have a very short shelf life as the developers have recognised a serious flaw in one of the built-in functions used to provide cryptographic functions often used in password-based authentication systems.

The issue is that the crypt() function of PHP, which is often used to compute hashes of passwords and salts for storage in a database, returned only the salt when asked to use the MD5 algorithm (which it does by default).

This problem, when combined with one particularly common method of verifying a user's password, for example, can lead to anybody gaining access by using simply any password. Due to the error, the function will return the result you would expect from a successful authentication, and all kinds of security problems could then arise.

The issue was only highlighted on the PHP bug tracker one day before the release of 5.3.7 and was not acknowledged until the day after that release.

The issue is annotated with reports that the builds of PHP from source were failing the unit tests in advance of the release, which leads to questions over whether these were properly reviewed prior to the final build being made available to the public.

The PHP team are planning a quick update to the release, pushing it to 5.3.8, and users are advised not to upgrade until this version is available.

You might also like...

Comments

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“The difference between theory and practice is smaller in theory than in practice.”