Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We're retiring the forums!

The SilverStripe forums have passed their heyday. They'll stick around, but will be read only. We'd encourage you to get involved in the community via the following channels instead:

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo

sapphire/security/Security.php hash security issue

Go to End

2 Posts   1839 Views


Community Member, 49 Posts

3 November 2008 at 2:16am

I have stumbled over a design flaw of the internal encrypted password store. When I changed the way to build php - in particular I added "-fstack-protector" to the compiler options - my passwords did no more match and I could no more log into any of my SilverStripe projects. I tracked down the issue to sapphire/security/Security.php line 794:

$password = substr(base_convert($password, 16, 36), 0, 64);

The php-manual says: "base_convert() may lose precision on large numbers due to properties related to the internal "double" or "float" type used." So only around 10 characters of that 64 character string really are computed from the hash! The rest is some random data from the stack. Therefore the new compiler option crashed the password database. How can I fix this?


Forum Moderator, 5523 Posts

3 November 2008 at 6:07pm

You might want to post this issue as the ticket on as an issue. You could change it yourself by removing the base_convert() but I have no idea what its going to break :(