The github_verify_post function at:
https://github.com/phpmyadmin/scripts/blob/master/hooks/lib/github.php#L36
accept every algorithm that returned from hash_algos() function, thus can include weak algorithms such as:
crc32 , crc32b, md2 , md4 , md5
which reduce a lot the amount of attempts needed by brute-force to pass the validation.
Reported by Emanuel Bronshtein:
The github_verify_post function at: https://github.com/phpmyadmin/scripts/blob/master/hooks/lib/github.php#L36 accept every algorithm that returned from hash_algos() function, thus can include weak algorithms such as: crc32 , crc32b, md2 , md4 , md5 which reduce a lot the amount of attempts needed by brute-force to pass the validation.
fix: ensure $algo is sha1, currently GitHub use sha1: https://developer.github.com/webhooks/securing/#validating-payloads-from-github