科技回声

12 条评论

I'm actually quite surprised at the initial response by the PHP Core to this vulnerability. At very least I would have thought a sensible approach would be to fail securely - so if supplied with a bad hash you return false, not true!

评论 #34909824 未加载

0xFEE1DEAD超过 2 年前

> I fail to see how this is a bug if you feed it garbageWhat an awful response to someone reporting a pretty serious security vulnerability.

评论 #34910054 未加载

评论 #34910001 未加载

评论 #34910228 未加载

donatj超过 2 年前

Many comments here vastly overstate the seriousness of this. For it to be used as an attack, the attacker needs general write access to your database. You probably have much bigger issues on your hands if that is the case.If they have write access they can already just set the hash to a known value for the same result.It’s a bug certainly but of very little practical security concern.

评论 #34910165 未加载

评论 #34910203 未加载

mjburgess超过 2 年前

More info: <a href="https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4">https://github.com/php/php-src/security/advisories/GHSA-7fj2...</a>seems to be caused by a strange non-std php-specific crypto implementation

评论 #34909790 未加载

bawolff超过 2 年前

That's interesting, but i don't see how this can actually be leveraged into a vulnerability.But gosh, between this and the sha with null truncating bcrypt bug, php has had bad luck implementing password routines.

评论 #34909789 未加载

评论 #34909816 未加载

评论 #34909834 未加载

hiccuphippo超过 2 年前

<pre><code> This issue is caused by a PHP specific modification to the crypt_blowfish implementation that is fittingly named “PHP hack”: php-src/ext/standard/crypt_blowfish.c Line 374 in 2740920 if (tmp == '$') break; /* PHP hack */ </code></pre> Cheeky hacker.

captn3m0超过 2 年前

The GitHub advisory is a better location to point this submission to: <a href="https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4">https://github.com/php/php-src/security/advisories/GHSA-7fj2...</a>

jefftk超过 2 年前

password_verify was erroneously returning true for include hashes. In the most common case where the user gives you a password and you immediately hash it and call password_verify this doesn't come up, but any case where an attacker can influence the hash is at risk (ex: hashing on the client).The first comment on the bug report is pretty depressing.

评论 #34909866 未加载

aldousd666超过 2 年前

Man, he tried so hard to defend that bug.

jupp0r超过 2 年前

Still one of the best blog articles ever written: "PHP: a fractal of bad design" <a href="https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/" rel="nofollow">https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/</a>

评论 #34909864 未加载

评论 #34910128 未加载

评论 #34909933 未加载

评论 #34909856 未加载

mgrund超过 2 年前

Could also be a backdoor in combination with another yet-to-be-discovered bug…

derrida超过 2 年前

For some reason when ever I've had to work with PHP which was last about 10 years ago I got giggles & "TNT" by ACDC would play in my head. I'm remembering why...P.H.PDYNAMITE

12 条评论

mikehall314超过 2 年前

评论 #34909824 未加载

0xFEE1DEAD超过 2 年前

> I fail to see how this is a bug if you feed it garbageWhat an awful response to someone reporting a pretty serious security vulnerability.

评论 #34910054 未加载

评论 #34910001 未加载

评论 #34910228 未加载

donatj超过 2 年前

评论 #34910165 未加载

评论 #34910203 未加载

mjburgess超过 2 年前

评论 #34909790 未加载

bawolff超过 2 年前

评论 #34909789 未加载

评论 #34909816 未加载

评论 #34909834 未加载

hiccuphippo超过 2 年前

captn3m0超过 2 年前

jefftk超过 2 年前

评论 #34909866 未加载

aldousd666超过 2 年前

Man, he tried so hard to defend that bug.

jupp0r超过 2 年前

评论 #34909864 未加载

评论 #34910128 未加载

评论 #34909933 未加载

评论 #34909856 未加载

mgrund超过 2 年前

Could also be a backdoor in combination with another yet-to-be-discovered bug…

derrida超过 2 年前

For some reason when ever I've had to work with PHP which was last about 10 years ago I got giggles & "TNT" by ACDC would play in my head. I'm remembering why...P.H.PDYNAMITE

PHP bug: Password_verify() always return true with some hash

12 条评论

PHP bug: Password_verify() always return true with some hash

12 条评论