Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

sapphire/security/Security.php hash security issue


Reply


2 Posts   1535 Views

Avatar
freakout

Community Member, 49 Posts

3 November 2008 at 2:16am

I have stumbled over a design flaw of the internal encrypted password store. When I changed the way to build php - in particular I added "-fstack-protector" to the compiler options - my passwords did no more match and I could no more log into any of my SilverStripe projects. I tracked down the issue to sapphire/security/Security.php line 794:

$password = substr(base_convert($password, 16, 36), 0, 64);

The php-manual says: "base_convert() may lose precision on large numbers due to properties related to the internal "double" or "float" type used." So only around 10 characters of that 64 character string really are computed from the hash! The rest is some random data from the stack. Therefore the new compiler option crashed the password database. How can I fix this?

Avatar
Willr

Forum Moderator, 5513 Posts

3 November 2008 at 6:07pm

You might want to post this issue as the ticket on open.silverstripe.com as an issue. You could change it yourself by removing the base_convert() but I have no idea what its going to break :(