Serious Cryptographic Bug Fixed in PHP

By Fahmida Y. Rashid  |  Posted 2011-08-23

The PHP Group has fixed the serious bug in the cryptographic function in PHP 5.3.7 and pushed out the fix a day later in the latest PHP 5.3.8.

The PHP Group released PHP 5.3.7 on Aug. 18, but developers were told to not upgrade to that version after the bug in how the crypt() function handled certain inputs was discovered on Aug. 22. When supplied with a MD5 salt, the function returned only the salt value instead of the salted hash value it was supposed to return. Simply put, the function wasn't actually encrypting anything and just returning the same value.

"If crypt() is executed with MD5 salts, the return value conists of the salt only. DES and BLOWFISH salts work as expected. I tested with php from openSUSE PHP5 repository," the bug report said. Other PHP users were able to reproduce the problem later on other platforms, as well.

Version 5.3.8, released Aug. 23, fixed the crypt() issue and also rolled back a change to version 5.3.6 behavior to address a different issue introduced in 5.3.7 that was causing SSL sessions to hang.

All PHP users should upgrade to 5.3.8 as the PHP 5.2 series is no longer being supported, recommended Christopher Carboni, an "incident handler" at the SANS Institute's Internet Storm Center.

Rocket Fuel