Forgot your password?
typodupeerror
PHP Programming Security

Serious Crypto Bug Found In PHP 5.3.7 165

Posted by timothy
from the pronounced-pfffffpp dept.
Trailrunner7 writes "The maintainers of the PHP scripting language are warning users about a serious crypto problem in the latest release and advising them not to upgrade to PHP 5.3.7 until the bug is resolved. PHP 5.3.7 was just released last week and that version contained fixes for a slew of security vulnerabilities. But now a serious flaw has been found in that new release that is related to the way that one of the cryptographic functions handles inputs. In some cases, when the crypt() function is called using MD5 salts, the function will return only the salt value."
This discussion has been archived. No new comments can be posted.

Serious Crypto Bug Found In PHP 5.3.7

Comments Filter:
  • Worst of all worlds (Score:4, Interesting)

    by 93 Escort Wagon (326346) on Tuesday August 23, 2011 @02:25AM (#37175244)

    I know there's no reason a skilled programmer can't use php, but in my experience the users that request php access are generally the users who you'd least want to have any sort of script-level access to your servers. When I've explained to requestors why we don't generally provide php, I've been told on several occasions "I don't want or need the ability to run scripts! I just want to create php web pages." Oh, and mysql access requests usually come hand-in-hand with php requests.

    I remember one guy, quite a few years ago, who asked us to 1) enable php on our department's web server; and 2) give him access to create and run php scripts. To demonstrate to us that he wasn't just another newbie... he wrote a php script and placed it on his own personal box as a demo of his coding skill. This script let anyone, anywhere, examine the content of any file in the /etc/ directory via an easy to use web interface.

    We politely declined his request.

Remember: use logout to logout.

Working...