PHP's latest 5.3.7 release looks like it's going to have a very short shelf life as the developers have recognised a serious flaw in one of the built-in functions used to provide cryptographic functions often used in password-based authentication systems.
The issue is that the crypt() function of PHP, which is often used to compute hashes of passwords and salts for storage in a database, returned only the salt when asked to use the MD5 algorithm (which it does by default).
This problem, when combined with one particularly common method of verifying a user's password, for example, can lead to anybody gaining access by using simply any password. Due to the error, the function will return the result you would expect from a successful authentication, and all kinds of security problems could then arise.
The issue was only highlighted on the PHP bug tracker one day before the release of 5.3.7 and was not acknowledged until the day after that release.
The issue is annotated with reports that the builds of PHP from source were failing the unit tests in advance of the release, which leads to questions over whether these were properly reviewed prior to the final build being made available to the public.
The PHP team are planning a quick update to the release, pushing it to 5.3.8, and users are advised not to upgrade until this version is available.
Comments