Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE 2017-8081 #1224

Closed
2 tasks done
tablatronix opened this issue Apr 24, 2017 · 8 comments
Closed
2 tasks done

CVE 2017-8081 #1224

tablatronix opened this issue Apr 24, 2017 · 8 comments

Comments

@tablatronix
Copy link
Member

tablatronix commented Apr 24, 2017

generate_salt unnecessarily weak.

  • mt_rand weak
  • sub str sha1 to 22 characters ( why )?

we allow custom salt and it has no problems being longer than 22 chars so i have no idea where this restriction came from. Do not see any breakage from removing it.

refs
#880
#931

@tablatronix tablatronix added this to the 3.3.14 milestone Apr 24, 2017
@WilliamParks
Copy link
Contributor

There are a couple options from what I've seen, but they aren't as drag & drop as I'd hoped.

Thoughts?

@WilliamParks
Copy link
Contributor

An alternative would be to branch on version, with 5.3+ getting the secure version, and 5.2 staying as is (idk how many users use the hotfix, but are on php v5.2).

@tablatronix
Copy link
Member Author

tablatronix commented Apr 25, 2017

wrap a more secure option in a 5.2 fallback to whatever random is best for that version

if(version_compare(PHP_VERSION, "5.2", "<")){

}

probably just use function_exists with fallback ?

I see notes about this being a problem on windows (slowww) in comments and that it was not crypto secure until bugfixed 5.5?

min php version wont be changed in minor version, I think alot of crappy hosts are just now getting php up to date, there might be some still on 5.2

@tablatronix
Copy link
Member Author

pr #1226

@tablatronix
Copy link
Member Author

  • test speed in windows php 5.6, add windows exclusion if necessary.

@cnb
Copy link
Contributor

cnb commented Dec 22, 2017

Perhaps it would be better using function_exists('openssl_random_pseudo_byte') with fallback as you commented. See here:
http://get-simple.info/forums/showthread.php?tid=10305&pid=61808#pid61808

@tablatronix
Copy link
Member Author

I already commited, but the site went 502 again so i cant post

@tablatronix
Copy link
Member Author

  • add function exists check was missing in PR, some installs do not have opensll funcs

@tablatronix tablatronix modified the milestone: 3.3.14 Aug 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants