Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Uses MD5 for Authentication #73
I was playing with the source code, and noticed that the php login uses an unsalted MD5 hashing function. The issue was easy to fix, though I felt like you should be aware.
Replacing md5 hashing functions with hash('sha512', $password, FALSE) seems to have worked for me. After changing user_password entries in the db, and looking through the php files.
On post, query for user_username. If the username exists, check if user_password is not the length of a SHA512 sum.
If not the length of a SHA512 sum, hash the password with MD5 and authenticate, else hash with SHA512.
If the user authenticates with MD5. Hash the original password again, but this time using a stronger algorithm. Then update the SQL database entry where user_username="form input".
SHA-1 has a collision vulnerability that was discovered in 2017, so that one can't be used.