Serious crypto bug found in PHP 5.3.7

Viruses, hackers and crackers
Post Reply
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Serious crypto bug found in PHP 5.3.7

Post by Ron2K »

ThreatPost wrote:The maintainers of the PHP scripting language are warning users about a serious crypto problem in the latest release and advising them not to upgrade to PHP 5.3.7 until the bug is resolved.

PHP 5.3.7 was just released last week and that version contained fixes for a slew of security vulnerabilities. But now a serious flaw has been found in that new release that is related to the way that one of the cryptographic functions handles inputs. In some cases, when the crypt() function is called using MD5 salts, the function will return only the salt value instead of the salted hash value.

The problem does not occur when using Blowfish or DES, only with MD5. The initial bug report on the problem in the PHP system appeared Aug. 17, the day before the public stable release of PHP 5.3.7.
Source

So don't say I didn't warn you lot. :P
Kia kaha, Kia māia, Kia manawanui.
User avatar
rustypup
Registered User
Posts: 8872
Joined: 13 Dec 2004, 02:00
Location: nullus pixius demonica
Contact:

Re: Serious crypto bug found in PHP 5.3.7

Post by rustypup »

This is what early adopters are for... bugbait...
Most people would sooner die than think; in fact, they do so - Bertrand Russel
RuadRauFlessa
Registered User
Posts: 20576
Joined: 19 Sep 2003, 02:00
Location: Bloodbank

Re: Serious crypto bug found in PHP 5.3.7

Post by RuadRauFlessa »

Agreed. I tend to always stay one version behind. To make sure I'm not bugbait :P
:rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock:
Spoiler (show)
Intel Core i7-2600k @ 3.4GHz
Corsair Vengence 2x4GB DDR3 2000MHz
Thermaltake Toughpower 850W
ASUS nVidia GTX560 1GB
CoolerMaster HAF 932
Post Reply