password_verify can erroneously return true, opening ATO risk

Kurzinfo

Veroeffentlicht: 2024-04-11 22:59 UTC Importiert: 2026-05-14 18:44 UTC Quelle-ID: php_sec uid_hash: f6efaccf97e6d2b03baed19ea1b02d5aa3cdbf85441ad279e296f729db960127

PHP Security (php/php-src GHSA)

Inhalt

Summary

If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true.

If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string.

Details

$ php -v
PHP 8.3.2 (cli) (built: Jan 16 2024 13:46:41) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.2, Copyright (c) Zend Technologies
    with Xdebug v3.3.0, Copyright (c) 2002-2023, by Derick Rethans
    with Zend OPcache v8.3.2, Copyright (c), by Zend Technologies

This appears to exist at least back to 8.1.0: https://3v4l.org/Z0pcl

PoC

$ cat pw_bug.php

Verknuepfte CVEs

CVE-ID	Severity (CVE.org)	CVSS (CVE.org)	EPSS	EPSS-%	Veroeffentlicht (CVE.org)
CVE-2024-3096	-	-	-	-

Quellen-Details

Bezeichnung	Name	Kategorie	Tags	Zielgruppe	Sprache	Feed-URL
PHP Security (php/php-src GHSA)	php_sec	vendor_advisory	php, runtime	-	de	https://github.com/php/php-src/security/advisories

Zurueck zur Eintrags-Liste