Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue : use hash_equals() instead of '===' to compare hashes #284

Open
mazaheriaan opened this issue Dec 19, 2019 · 0 comments
Open

Security issue : use hash_equals() instead of '===' to compare hashes #284

mazaheriaan opened this issue Dec 19, 2019 · 0 comments

Comments

@mazaheriaan
Copy link

mazaheriaan commented Dec 19, 2019
edited
Loading

Hi dev,
I would like to point out a security issue in the Bcrypt class:

public function verify($input, $existingHash) {
	$hash = crypt($input, $existingHash);

	return $hash === $existingHash;
}

A simple strict equals sign === is used for hash comparison, which is vulnerable to timing attack.
The hash_equals() function should be used (http://php.net/manual/en/function.hash-equals.php) for comparing hashes.
see also: https://www.php.net/manual/en/function.crypt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mazaheriaan