You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would expect admin password to be generated with a secure hashing function, with a suitably random salt.
This is not the case, instead the password is created using a md5 hash, which whilst salted, the salt generation is a mess, and reliant on md5 hashes to create the salt. A nice circular reference back to md5 hashes...which are just poor.
SALT.php is generated using include.php, specifically: $sSalt = '<'.'?php //' .md5(microtime(true).rand(1000, 5000)) .md5(microtime(true).rand(5000, 9999)) .md5(microtime(true).rand(1000, 5000));
The password is then hashed using the following calculation (once all the variables are expanded): $newhashedpassword = md5(md5($sSalt . APP_PRIVATE_DATA_NAME . $sSalt) . $newpass . md5($sSalt . APP_PRIVATE_DATA_NAME . $sSalt));
(APP_PRIVATE_DATA_NAME is by default defined as '_default_')
Would think the following would be more appropriate: $newhashedpassword = password_hash($newpass, PASSWORD_DEFAULT)
No need to store a SALT.php, no generating multiple md5 hashes, only to hash the hash, resulting in a final md5 hash that probably isn't that great.
The text was updated successfully, but these errors were encountered:
Hi Tom, thank you for your code review! I see you just signed up with Github so perhaps you're not yet familiar with all the Git stuff, but could you thy to create a pull request for this? Then the dev can just pull it in (after review)! Thanks!
as of version 1.11.3
I would expect admin password to be generated with a secure hashing function, with a suitably random salt.
This is not the case, instead the password is created using a md5 hash, which whilst salted, the salt generation is a mess, and reliant on md5 hashes to create the salt. A nice circular reference back to md5 hashes...which are just poor.
SALT.php is generated using include.php, specifically:
$sSalt = '<'.'?php //' .md5(microtime(true).rand(1000, 5000)) .md5(microtime(true).rand(5000, 9999)) .md5(microtime(true).rand(1000, 5000));
The password is then hashed using the following calculation (once all the variables are expanded):
$newhashedpassword = md5(md5($sSalt . APP_PRIVATE_DATA_NAME . $sSalt) . $newpass . md5($sSalt . APP_PRIVATE_DATA_NAME . $sSalt));
(APP_PRIVATE_DATA_NAME is by default defined as '_default_')
Would think the following would be more appropriate:
$newhashedpassword = password_hash($newpass, PASSWORD_DEFAULT)
No need to store a SALT.php, no generating multiple md5 hashes, only to hash the hash, resulting in a final md5 hash that probably isn't that great.
The text was updated successfully, but these errors were encountered: