Open mortezasaki opened 4 years ago
Hi dev, I would like to point out a security issue in the Bcrypt class:
public function verify($input, $existingHash) { $hash = crypt($input, $existingHash); return $hash === $existingHash; }
A simple strict equals sign === is used for hash comparison, which is vulnerable to timing attack. The hash_equals() function should be used (http://php.net/manual/en/function.hash-equals.php) for comparing hashes. see also: https://www.php.net/manual/en/function.crypt
Hi dev, I would like to point out a security issue in the Bcrypt class:
A simple strict equals sign === is used for hash comparison, which is vulnerable to timing attack. The hash_equals() function should be used (http://php.net/manual/en/function.hash-equals.php) for comparing hashes. see also: https://www.php.net/manual/en/function.crypt