-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of a Broken or Risky Cryptographic Algorithm in geshi/geshi.php #109
Comments
Where exactly is the security problem here? |
maybe substr(0,4) from md5(randomstuff) is too predictible, doesn't this let us with something like 36^4 possibility "only"??? https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html
|
And where exactly is a random HTML id attribute a security problem? |
md5(microtime()) This function uses the !php_standard_ns.md5() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. |
|
The provided algorithm is for generating a set of random IDs in case where the user does not provide a custom one, but where still the code needs to generate some (somewhat) unique ID. As the ID is truncated to be short even using something "more secure" like SHA-256 or Keccak won't solve the problem of collissions. The only solution really fixing the issue would be for the user of the library to provide GeSHi with a guaranteed-random base ID. In absence of a guaranteed-unique value provided by the caller, reasonably trying to generate something random is sufficient (and NOT a security issue); i.e. the worst that can happen is the UA rendering the returned string switching to Quirks Mode due to duplicated generated IDs in the document. |
Use of a Broken or Risky Cryptographic Algorithm in geshi/geshi.php. line number 3827.
$this->overall_id = 'geshi-' . substr(md5(microtime()), 0, 4);
The text was updated successfully, but these errors were encountered: