Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » sapphire/security/Security.php hash security issue

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1
Go to End
Author Topic: 1495 Views
  • freakout
    Avatar
    Community Member
    49 Posts

    sapphire/security/Security.php hash security issue Link to this post

    I have stumbled over a design flaw of the internal encrypted password store. When I changed the way to build php - in particular I added "-fstack-protector" to the compiler options - my passwords did no more match and I could no more log into any of my SilverStripe projects. I tracked down the issue to sapphire/security/Security.php line 794:

    $password = substr(base_convert($password, 16, 36), 0, 64);

    The php-manual says: "base_convert() may lose precision on large numbers due to properties related to the internal "double" or "float" type used." So only around 10 characters of that 64 character string really are computed from the hash! The rest is some random data from the stack. Therefore the new compiler option crashed the password database. How can I fix this?

  • Willr
    Avatar
    Forum Moderator
    5482 Posts

    Re: sapphire/security/Security.php hash security issue Link to this post

    You might want to post this issue as the ticket on open.silverstripe.com as an issue. You could change it yourself by removing the base_convert() but I have no idea what its going to break

    1495 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.