Security vulnerability

[lablnet]

Hi,

I am trying to test the encryption class, and find that even with a static key, the result changes every single time the script is run.

Also if I paste back into the script an encrypted string then even if the key is changed the string is decrypted..... That cant be right surely, because every single person that runs your class would be able to just decrypt strings without knowing the key?

running this code will replicate the issue

<?php

use Lablnet\Encryption;

require 'vendor/autoload.php';

$encryption = new Encryption('openssl','test');

//Encrypt the message
$encrypt = $encryption->encrypt('some text');
echo strlen(utf8_decode($encrypt)).'<br>';

echo 'Encrypted text: '.$encrypt;
echo "<br\>";

//Decrypt the message
$decrypt = $encryption->decrypt('SWJuRkE1SmxUS0FrRHpacXc0OG9raXl0MUZITnl3T3ZzM2FjcnlYbWViQT0mJmQwMzg3ZjUxYzliNzdmOThmZTRiNjQ0M2E0ODFiMmQ1');
echo '<br> Decrypted/plain text: '.$decrypt;
$decrypt2 = $encryption->decrypt($encrypt);
echo '<br>Decrypted/plain text: '.$decrypt2;

Can you tell me what the encoded string resolves too? Even though the key that encrypted it was not the one in the script?

Posted

Jason Ellmers in phpclasses site form.

[lablnet]

@peter279k look to this pls

[peter279k]

@lablnet, could you tell issue author to look at this issue on GitHub issue link?

[lablnet]

@lablnet, could you tell issue author to look at this issue on GitHub issue link?

Done

[peter279k]

@lablnet, the hash function can allow to use the empty key string with sha-512.

It should throw some exceptions when developers try to use empty string to be key.

[lablnet]

I test it the issue is that the key is useless here
well here is an example

//Encrypt the message
    $encrypt = $encryption->encrypt('This is a text');

    echo 'Encrypted text: '.$encrypt;

it will give us, now decrypt is using different key

$decrypt = $encryption->decrypt("NXJjbEEzMWhsSUpuQ2dJMkIwREJjZz09JiYzMmRhNmZhODY1Y2QxNThjOWU0MTZhMWRmMDRhMGU1OA==");
    echo '<br>Decrypted/plain text: '.$decrypt;

it will success print display: Decrypted/plain text: This is a text

Is not that security bug?
@peter279k

[peter279k]

I test it the issue is that the key is useless here
well here is an example

//Encrypt the message
    $encrypt = $encryption->encrypt('This is a text');

    echo 'Encrypted text: '.$encrypt;

it will give us, now decrypt is using different key

$decrypt = $encryption->decrypt("NXJjbEEzMWhsSUpuQ2dJMkIwREJjZz09JiYzMmRhNmZhODY1Y2QxNThjOWU0MTZhMWRmMDRhMGU1OA==");
    echo '<br>Decrypted/plain text: '.$decrypt;

it will success print display: Decrypted/plain text: This is a text

Is not that security bug?
@peter279k

@lablnet, could you show whole sample code snippets that you concern?

[lablnet]

I test it the issue is that the key is useless here
well here is an example

//Encrypt the message
    $encrypt = $encryption->encrypt('This is a text');

    echo 'Encrypted text: '.$encrypt;

it will give us, now decrypt is using different key

$decrypt = $encryption->decrypt("NXJjbEEzMWhsSUpuQ2dJMkIwREJjZz09JiYzMmRhNmZhODY1Y2QxNThjOWU0MTZhMWRmMDRhMGU1OA==");
    echo '<br>Decrypted/plain text: '.$decrypt;

it will success print display: Decrypted/plain text: This is a text
Is not that security bug?
@peter279k

@lablnet, could you show whole sample code snippets that you concern?

<?php

    use Lablnet\Encryption;

    require '../vendor/autoload.php';

    $encryption = new Encryption('12345');

    //Encrypt the message
    $encrypt = $encryption->encrypt('This is a text');

    echo 'Encrypted text: '.$encrypt;

    $encryption2 = new Encryption('test');
    //Decrypt the message
    $decrypt = $encryption2->decrypt("NXJjbEEzMWhsSUpuQ2dJMkIwREJjZz09JiYzMmRhNmZhODY1Y2QxNThjOWU0MTZhMWRmMDRhMGU1OA==");
    echo '<br>Decrypted/plain text: '.$decrypt;

From above clearly shows the key is useless, the msg encrypt using key 12345, and decrypted successfully using key test