GamePanelX-V3 icon indicating copy to clipboard operation
GamePanelX-V3 copied to clipboard

Published 20 hours ago verified publisher icon devryan

Stop using md5 and sha1

Open GIANTCRAB opened this issue 10 years ago • 3 comments

Hello, I skimped through the code very briefly and was shocked by the security of the software.

Hashing for the password is very weak, users are using md5 hash function through MySQL while admins are using PHP sha1 as the hash. Although the admin's password was salted, the salt was not an unique one for every installation.

Over the years, sha1 and md5 has been considered to be weak since they can be deciphered/decrypted.

The PHP dev team had strongly suggested the use of crypt() or password_hash() which is a simple crypt() wrapper and compatible with existing password hashes.

There are also articles like this out there that supports the use of bcrypt and not sha1/2/3/256/512 or md5, etc.

References for the code: @mysql_query("INSERT INTO users (date_created,sso_user,sso_pass,username,password,email_address,first_name,last_name) VALUES(NOW(),AES_ENCRYPT('$username', '$enc_key'),AES_ENCRYPT('$password', '$enc_key'),'$username',MD5('$password'),'$email','$first_name','$last_name')") or die('Failed to create user: '.mysql_error());

$password = base64_encode(sha1('ZzaX'.$password.'GPX88'));

GIANTCRAB avatar Oct 14 '14 10:10 GIANTCRAB

Having a lookback to 2014, here we are in 2015 someday, and yet this issue is not fixed?
What a joke.

lifehome avatar Apr 03 '15 13:04 lifehome

While I have been so busy, I haven't had time to update in a while, I admit there have been security issues present. However, keep in mind this is an open source project, and people can commit fixes to the code if there are issues.

Have those addressing the issues contributed fixes for them? Just curious, because if you're not willing to write code, but you're willing to complain about a free project with 1 developer, not sure what you expect. Nor do I appreciate you calling something I spend my personal time on, that hasn't been updated in practically a year, a "joke."

I'd like to spend more of my time on this but lately, I've been to busy to do so. On Apr 10, 2015 7:59 PM, "Kevin Gilbert" [email protected] wrote:

Well said

— Reply to this email directly or view it on GitHub https://github.com/devryan/GamePanelX-V3/issues/105#issuecomment-91747966 .

devryan avatar Apr 11 '15 04:04 devryan

Keep it up @devryan , @lifehome since you got alot of time, you can contribute and help fix the problem.

ezspot avatar Apr 20 '16 12:04 ezspot