Hacker News new | past | comments | ask | show | jobs | submit login

I'm actually quite surprised at the initial response by the PHP Core to this vulnerability. At very least I would have thought a sensible approach would be to fail securely - so if supplied with a bad hash you return false, not true!



It looks to me like it's trying to return false on a bad hash but missed one of the three ways crypt can signal failure (returning the input unmodified).


> but missed one of the three ways crypt can signal failure (returning the input unmodified)

Returning the input unmodified is not failure, but success. That's how you check that a password is valid without having a specialized API.


EDIT: I misread the linked post, ignore me!

<strike>crypt is the hashing function, not the password checking function</strike>


I assume s/bit/not/. The checking function is “does the given password with the stored parameters hash to the same value as the stored hash”. Hash functions are deterministic.

So returning the original hash for a valid password is the success case.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: