You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, I skimped through the code very briefly and was shocked by the security of the software.
Hashing for the password is very weak, users are using md5 hash function through MySQL while admins are using PHP sha1 as the hash. Although the admin's password was salted, the salt was not an unique one for every installation.
Over the years, sha1 and md5 has been considered to be weak since they can be deciphered/decrypted.
The PHP dev team had strongly suggested the use of crypt() or password_hash() which is a simple crypt() wrapper and compatible with existing password hashes.
There are also articles like this out there that supports the use of bcrypt and not sha1/2/3/256/512 or md5, etc.
References for the code: @mysql_query("INSERT INTO users (date_created,sso_user,sso_pass,username,password,email_address,first_name,last_name) VALUES(NOW(),AES_ENCRYPT('$username', '$enc_key'),AES_ENCRYPT('$password', '$enc_key'),'$username',MD5('$password'),'$email','$first_name','$last_name')") or die('Failed to create user: '.mysql_error());
While I have been so busy, I haven't had time to update in a while, I admit
there have been security issues present. However, keep in mind this is an open
source project, and people can commit fixes to the code if there are issues.
Have those addressing the issues contributed fixes for them? Just curious,
because if you're not willing to write code, but you're willing to complain
about a free project with 1 developer, not sure what you expect. Nor do I
appreciate you calling something I spend my personal time on, that hasn't
been updated in practically a year, a "joke."
I'd like to spend more of my time on this but lately, I've been to busy to do
so.
On Apr 10, 2015 7:59 PM, "Kevin Gilbert" notifications@github.com wrote:
Well said
—
Reply to this email directly or view it on GitHub #105 (comment)
.
Hello, I skimped through the code very briefly and was shocked by the security of the software.
Hashing for the password is very weak, users are using md5 hash function through MySQL while admins are using PHP sha1 as the hash. Although the admin's password was salted, the salt was not an unique one for every installation.
Over the years, sha1 and md5 has been considered to be weak since they can be deciphered/decrypted.
The PHP dev team had strongly suggested the use of crypt() or password_hash() which is a simple crypt() wrapper and compatible with existing password hashes.
There are also articles like this out there that supports the use of bcrypt and not sha1/2/3/256/512 or md5, etc.
References for the code:
@mysql_query("INSERT INTO users (date_created,sso_user,sso_pass,username,password,email_address,first_name,last_name) VALUES(NOW(),AES_ENCRYPT('$username', '$enc_key'),AES_ENCRYPT('$password', '$enc_key'),'$username',MD5('$password'),'$email','$first_name','$last_name')") or die('Failed to create user: '.mysql_error());
$password = base64_encode(sha1('ZzaX'.$password.'GPX88'));
The text was updated successfully, but these errors were encountered: