PHP :: Bug #54721 :: crypt function

Bug #54721

crypt function

Submitted:

2011-05-12 17:50 UTC

Modified:

2011-05-24 15:48 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

os at irj dot ru

Assigned:

pajoye (profile)

Status:

Closed

Package:

*Encryption and hash functions

PHP Version:

5.3.6

OS:

Windows 7 x64

Private report:

CVE-ID:

None

View Developer Edit

[2011-05-12 17:50 UTC] os at irj dot ru

Description:
------------
Win 7 x64
PHP 5.3.6 x86 MSVC9 (Visual C++ 2008) Thread Safety AS Apache 2.2 Module
Apache/2.2.17 x86 NO SSL


Test script:
---------------
<pre>
<?php 
echo crypt("dev", '$1$dW0.is5.$10CH101gGOr1677ZYd517.'); 
?>

Expected result:
----------------
$1$dW0.is5.$10CH101gGOr1677ZYd517.

Actual result:
--------------
FireFox 4:
$1$dW0.is5.$fELOCg/o4M4JSqjT0FAaZ1

IE 9 with meny F5 refresh actual result is
Result 1: $1$dW0.is5.$PAX1vDQNMC0Ag2U3joEb71
Result 2: $1$dW0.is5.$fELOCg/o4M4JSqjT0FAaZ1
in cycle

If I reload apache 2 service hash result are changing to other, etc
FF: $1$dW0.is5.$j9t0S3va.9brcE2kIILGx1
IE: $1$dW0.is5.$d2QAXWA.uqHWaY1KopvYr., $1$dW0.is5.$j9t0S3va.9brcE2kIILGx1

Patches

fix (last revision 2011-05-21 12:56 UTC by os at irj dot ru)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-05-12 18:00 UTC] os at irj dot ru

-Operating System: Windows 7 x86 +Operating System: Windows 7 x64

[2011-05-12 18:00 UTC] os at irj dot ru

Sorry, OS is Windows 7 x64 with 8GB RAM, CPU Core I5 760 (4 cores).

[2011-05-12 18:32 UTC] [email protected]

-Status: Open +Status: Feedback

[2011-05-12 18:32 UTC] [email protected]

The browsers have nothing to do with the server side running code. Please try 
using the CLI interface (cmd line) to confirm the results.

[2011-05-12 18:50 UTC] os at irj dot ru

-Status: Feedback +Status: Open

[2011-05-12 18:50 UTC] os at irj dot ru

In CLI mode crypt function work normaly, but as apache 2 module bug present

CMD Log:

Microsoft Windows [Version 6.1.7601]
(c) Корпорация Майкрософт (Microsoft Corp.), 2009. Все права защищены.

C:\Windows\system32>cd D:\Web\var\avers.localhost

C:\Windows\system32>d:

D:\Web\var\avers.localhost>D:\Web\bin\php\php.exe  D:\Web\var\avers.localhost\te
st.php
<pre>
$1$dW0.is5.$em49ePD07X75OTvpVod410
D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$d2QAXWA.uqHWaY1KopvYr.
D:\Web\var\avers.localhost>..\..\apache22\bin\httpd.exe -k restart
httpd.exe: Could not reliably determine the server's fully qualified domain name
, using 192.168.0.240 for ServerName

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>

[2011-05-12 18:58 UTC] os at irj dot ru

Sorry, in cli mode bug too (in previos command I use a old CLI php)
This is a correct log

D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$.O4MUs7rYRmlSuPIA16Jt.
D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$sVRmxDm7.B8xcTu1HZKf6/
D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$zI8c4NaU.KzK2y5u.W4Ax.
D:\Web\var\avers.localhost>D:\Web\php53\php.exe -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>..\..\apache22\bin\httpd.exe -k restart
httpd.exe: Could not reliably determine the server's fully qualified domain name
, using 192.168.0.240 for ServerName

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$.y5yjTLPgypzeHv0FU7zW0
D:\Web\var\avers.localhost>D:\Web\php53\php.exe  D:\Web\var\avers.localhost\test
.php
<pre>
$1$dW0.is5.$m.YjcIs.joLsQHQGZ0bxn/
D:\Web\var\avers.localhost>

[2011-05-13 06:06 UTC] os at irj dot ru

From download page I downloaded VC9 x86 Thread Safe (2011-Mar-22 13:27:32) as ZIP arhive, unzip it and run test script at office using cli interface on Microsoft Windows 7 x86, bug too.

Expected result:
$1$dW0.is5.$em49ePD07X75OTvpVod410

Actual result:
D:\tmp>php test.php
<pre>
$1$dW0.is5.$EkFno5M.sWHzVKG.KcE4g.
D:\tmp>php test.php
<pre>
$1$dW0.is5.$C08LtG..f5qYCBEqaEaeV.
D:\tmp>php test.php
<pre>
$1$dW0.is5.$U.zA4AF2/AvLMpxAdd57x1
D:\tmp>php test.php
<pre>
$1$dW0.is5.$FO6NpJOzWGbHX3Al2BRcU1
D:\tmp>php test.php
<pre>
$1$dW0.is5.$OoBfHS6yulKgQHVDZ8XLx/
D:\tmp>php -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

D:\tmp>

[2011-05-13 06:16 UTC] os at irj dot ru

At Windows XP

Expected result:
$1$dW0.is5.$em49ePD07X75OTvpVod410

Actual result:

C:\tmp>php test.php
$1$dW0.is5.$UW7SlpXxFDXZ9zHcYQy.l/
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
C:\tmp>php -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

[2011-05-16 16:20 UTC] [email protected]

-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye

[2011-05-16 16:46 UTC] [email protected]

Confirmed. 

Seems to be only happening in the TS API.

[2011-05-16 17:18 UTC] [email protected]

Please note that as this code may or should produce similar results on all 
platforms or builds, it is not correct.

MD5 salt is max. 12 characters as described in the manual and how the extra 
characters are treated are implementation specific.

Use blowfish or other stronger algorithm if you like to use a bigger salt.

[2011-05-21 20:11 UTC] [email protected]

Pierre, could you test the proposed fix, please?
Thanks in advance.

[2011-05-22 18:29 UTC] [email protected]

-Status: Assigned +Status: Feedback

[2011-05-22 18:29 UTC] [email protected]

On FreeBSD I got (which uses system's crypt):

<?php 
echo crypt("dev", '$1$dW0.is5.$10CH101gGOr1677ZYd517.'); 
?>
.ionEGu/npGjI

With the proposed fix, I got on windows (which is what this bug is about):
$1$dW0.is5.$Jay703TqfAIolX2oUKG7u1

Which is not what the initial report says, it expects:

$1$dW0.is5.$10CH101gGOr1677ZYd517.

And using the tests provided privately:


<?php 
echo crypt("", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("b", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bu", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bug", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("pass", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("buged", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("aaaaaaaaaaaaaaaaaaaaaaaaa ", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
?>
Windows (with patch):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$geEFTh1pYyBlKNV7Jd0jJ0
$1$dW0.is5.$J9qpZsnaE3ddwR9CfXJq71
$1$dW0.is5.$5tcolHQsY5Pxr8vn4rzdN/
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

FreeBSD:
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

I don't think the patch or the initial report is correct and it somehow confirms my thoughts, len>16 is really implementation specific. Or did I 
miss something?

[2011-05-22 18:40 UTC] [email protected]

On Linux (Debian):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

[2011-05-22 19:22 UTC] [email protected]

oh my bad, used the wrong bins. Here are the results with the patch on windows, 
seems to match now:

$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

[2011-05-24 15:48 UTC] [email protected]

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311390
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

[2011-05-24 15:48 UTC] [email protected]

-Status: Feedback +Status: Closed

[2011-05-24 15:48 UTC] [email protected]

Fixed in all active branches and trunk.

[2012-04-18 09:50 UTC] [email protected]

Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

[2012-07-24 23:41 UTC] [email protected]

Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

[2013-11-17 09:38 UTC] [email protected]

Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jun 11 11:01:26 2025 UTC