Closed AndrewCarterUK closed 8 years ago
Please update the README file with the issues that exist in the code, not with a general explanation paragraph. And do not remove any of the code. (You can add readme files to separate folders if they are insecure as well).
Evidence of some of the vulnerabilities that warrant this action:
https://github.com/OWASP/phpsec/blob/master/libs/crypto/confidentialstring.php#L37
Hard coded encryption keys in a class that pretends to provide encryption (but actually just obfuscates). An object injection vulnerability was also found in this file.
https://github.com/OWASP/phpsec/blob/master/libs/core/random.php
//If openssl is present, use that to generate random.
if (function_exists("openssl_random_pseudo_bytes") && FALSE)
{
$random32bit=(int)(hexdec(bin2hex(openssl_random_pseudo_bytes(64))));
}
The '&& FALSE' means that the CSPRNG openssl API is never used. Even if it was to be used the return value isn't checked (it can be false) and neither is the optional '$secure' output variable which flags whether the CSPRNG managed to securely generate a random value.
The intended fallback uses 'mt_rand' which should never be used for the purposes of cryptography. It also merges the seed values in a way that gives a ridiculously high number of collisions. Similar mistakes are made throughout the file.
https://github.com/OWASP/phpsec/blob/master/libs/auth/user.php#L71
This method converts the password to lower case before hashing it. This massively increases the opportunity for a brute force attack because 'PASSWORD' is the same as 'password'.
https://github.com/OWASP/phpsec/blob/master/libs/auth/user.php#L88
This method is vulnerable to timing attacks (should use hash_equals).
All of these were discovered in code inspections on only a few of the files that took about 15 minutes.
As a result it is quite clear that the code in this library diminishes the OWASP brand and could cause significant issues to anyone who uses it.
Lets add that description to the bottom of the current README file, with a title like "UPDATE Nov2015" so that users can see and realize the issues with this library.
Thank you.
@abiusx This pull request is to delete the entire code base from the repository.
As I have already stated, it is beyond the point of repair and there is nobody willing to maintain it.
I would like you to bring this pull request to the attention of other OWASP team members if possible. With all due respect I do not believe we will make any further progress and it clearly needs the opinion of other members of your team.
Unfortunately I cannot accept that. Removal of the entire code is not a beneficial action from what I see.
OWASP is an open source organization with thousands of members. There are no teams for this project. Any OWASP member or individual can contribute to OWASP.
Relates to: https://github.com/OWASP/phpsec/issues/108