Use of a Broken or Risky Cryptographic Algorithm in geshi/geshi.php #109
Comments
|
Where exactly is the security problem here? |
|
maybe substr(0,4) from md5(randomstuff) is too predictible, doesn't this let us with something like 36^4 possibility "only"??? https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html
|
|
And where exactly is a random HTML id attribute a security problem? |
|
md5(microtime()) This function uses the !php_standard_ns.md5() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. |
|
|
The provided algorithm is for generating a set of random IDs in case where the user does not provide a custom one, but where still the code needs to generate some (somewhat) unique ID. As the ID is truncated to be short even using something "more secure" like SHA-256 or Keccak won't solve the problem of collissions. The only solution really fixing the issue would be for the user of the library to provide GeSHi with a guaranteed-random base ID. In absence of a guaranteed-unique value provided by the caller, reasonably trying to generate something random is sufficient (and NOT a security issue); i.e. the worst that can happen is the UA rendering the returned string switching to Quirks Mode due to duplicated generated IDs in the document. |
Use of a Broken or Risky Cryptographic Algorithm in geshi/geshi.php. line number 3827.
$this->overall_id = 'geshi-' . substr(md5(microtime()), 0, 4);
The text was updated successfully, but these errors were encountered: