I think i'm losing my marbles here... I've got a problem on my web site where randomly it stops accepting logins. I've now been able to trace it to crypt() behaving very strangely.
In my database, i've got the crypted version of the users password - so let's say Og12345678.
When the user logs in, they enter their password, I read the salt out of the db and then crypt what they entered and compare - usually this works very well.
So i'm doing crypt($enteredPassword, $saltFromDb) - in this case, the salt would be Og of course. Normally for a given users password crypt works fine.
When things go wrong (and when they do it's a permanent change until I restart Apache) I found that crypt starts returning a DIFFERENT answer for the same input with the same salt.
It's consistent however, i.e. once the system has gone wrong crypt returns the wrong answer but it's always returning the same wrong answer. Repeated refreshes of the page show the same output. The same salt is also in evidence in the newly incorrect crypt result also, so it's not that the salt has gone missing somewhere.
If I then restart Apache and re-run the script without any changes at all, the results from crypt are then back to how they should be.
I appreciate it's not the latest PHP (5.2.8) but would value any views on this including whether it's a known bug fixed in a later version (upgrading PHP is not a happy task with lots of sites some of which still use unfortunate quirks that all need to be re-tested with each upgrade) - if it is a known fixed bug then obviously i'll get it all upgraded ASAP, beyond that it'll probably be easier to outsource the crypt externally since I only use it in one common place for my site.
Any input appreciated.
Matt Peddlesden
--- Update: 11 Mar 2011
Correction to comment previously given about operating system...
- Operating system is Windows Server 2008 SP1 64 bit. Apologies I should have double checked rather than assuming I could remember! Machine is a Dell 2950 8gb Ram, Xeon processors.
I am starting to think along the lines Krtek is suggesting - when the system has gone wonky, if I generate new crypt() (i.e a very simple example where i set a variable to a string, crypt it and then compare with the crypt) - all works great. When I restart the server, again it's all back to the previous calculations again. So I am definitely leaning towards something that is changing the algorithm used to calculate the crypt() result... any thoughts on what might cause this to happen? I printed out the values of the CRYPT_STD_DES etc and they don't change between restarts.
Anyone got any clues on what might cause this to happen?
Whatever it was seemed to happen twice in one day yesterday, most odd.
Thanks for the answers thus far.
--- Update: 16 Mar 2011
Just wanted to provide another update.
This is still happening, still no further understanding of why.
In case anyone comes across this in the future, I think my solution going forwards is going to be to do some nasty hack to push all the crypt() executions out to an external C# application and stop having to rely on PHP to do them. Something is going wrong somewhere and at this point the only solution I can see is to remove it from the equation entirely.
Of course if it still happens, that will be interesting to know too! :)
Thanks all.
Why are you reading the salt? And how are you getting the salt? Different algorithms use different methods for including the salt in the output.
Just use the whole output of the crypt function as the second argument:
$crypted='Og12345678';
if (crypt($_POST['password'], $crypted)==$crypted) {
....
And single pass DES? Really?
Last time I looked, the PHP crypt implementation would call the crypt() function provided by the system - so if it has broekn then its more likely to be your OS than PHP - but you didn't say what your OS is.
It might be the Suhosin PHP security patch affecting your crypt() function. It alters a lot of the encryption/random methods and may be the the cause of your problem.
Check a phpinfo() and see if 'suhosin' is anywhere on the page. If it's there, look into disabling some of it's features in the php config.
i had the same problem with crypt... I had that login-check working on 2 servers, but when i transfer it to the newest one it eventually stop working. I walk around it with md5 encryption as follows:
In register.php
$encrypted = md5($_POST["pass"]);
...
And then in login.php
$password = md5($_POST["password"]);
if ($password == $row["hash"])
{
// remember that user's now logged in by storing user's details in session
$_SESSION["id"] = $row["id"];
$_SESSION['username'] = $_POST['username'];
$_SESSION['logged'] = 'Yes';
// redirect to homepage
redirect("index.php");
}
I hope that helps :)
I faced the same problem. Since moving my vTigerCRM installation to local machine, user login with previously stored passwords started failing. It seems like crypt() is returning different hashes on different environments with the same arguments:
On local environment:
SYSTEM: Windows NT 6.1 build 7601 (Business Edition Service Pack 1) i586
PHP: 5.3.5
crypt('hello world','$1$ad0000000'):
$1$ad00000008tTFeywywdEQrAl9QzV.M1
On production environment:
SYSTEM: Linux 2.6.18-338.9.1.el5.lve0.8.32 #1 x86_64
PHP: 5.3.5
crypt('hello world','$1$ad0000000'):
$1$ad000000$8tTFeywywdEQrAl9QzV.M1
Related
Oke, i've been busting my head on this one.
I'm gonna try and keep things short, however, if you need more info, don't hesitate to ask.
I've written an import repo for an external firm, so we can import their data into our service.
quick overview of implemented logic?
ftp, grab xml file, parse it with simple_xml and do db stuff using laravel eloquent component.
on my dev machine,
every run gets parsed fully and all data is inserted correctly into the database.
problem
when i try the same thing on my production server.
I'm receiving a duplicate entry error, always on the same exact record. (unless i'm using another file)
pre script setup to help detect the error
on each run i do the following:
make sure i'm using the exact same files on both dev and prod
environment... (i've disabled the ftpgrab and uploaded manually to
the correct location)
truncate all the related tables so i'm always
starting with empty! tables.
i've manually triple-zillion checked for duplicates in the xml, but they're not in there.... and the fact that
my dev machine parses the file correctly confirms this.
what i tried
at this point, i've got no more clues as to how i'm supposed to debug this properly.
by now, i've checked so many things (most of them i can't even remember), all of which seemed pretty unrelated to me, but i had to try them.
those things include:
automatic disconnects due to browser
mysql wait timeouts
php script timeouts
memory settings
none of them seem to help (which was exactly what i was expecting)
another fact
my php version on my dev is 5.4.4 and the version on the production server is 5.3.2 (i know this is bad practise, but i'm not using any new features, it's really dead easy code, though it has quite a few lines :-) )
i've been suspecting this to be the cause, but
i've now switched to 5.3.14 on my dev... still the import runs without an issue
the changes from 5.3.2 to 5.3.14 are probably pretty minor
i've tried to manually compile the exact same php version, but i'm to inexperienced to properly do this. moreover, it probably wouldn't have the exact same specs anyway (i think it's pretty impossibly to ./configure exactly the same, considering the use of MacOs vs Ubuntu? especially for a noob like me)
So i've abandoned this path.
I've tried to find the differences in the php versions, but i can't seem to stumble upon anything that might be the cause to all this.
there was a change related to non-numeric keys in arrays (or strings for that matter) in version 5.4.4 (i think) but since i've now come to the conclusion that 5.3.14 also works, this definitely is not the issue. --- looking around insecurely hoping not having said anything downright stupid ---
quick thought while writing this:
the thing is, even though i'm getting the duplicate error statement.
The record did get inserted into the database.
moreover, the error gets triggered when having processed about 2700 (of total 6000) records.
the bound data to the query is actually the data of the second record in the xml file.)
I'm sincerely hoping anyone could put me on the right track for this issue :(
If you made it this far, but don't have a clue about what's going on, thx for reading and sticking to it.
If you might have clue, please enlighten me!
I run a php script from xampp portable on windows. The script takes over a minute. Recently, the script is having flush() problem, as echo statements are not immediately displayed. The script used to work fine earlier with no buffering problem.
Interestingly, I ran the same script copying the xampp portable to another system and the flush statements were working without any problem. Same code, Same xampp portable.
What could be the reason?
Make the first line of your script ob_implicit_flush();.
or
Change the php.ini file setting implicit_flush = On.
From the documentation:
implicit_flush boolean, FALSE by default. Changing this to TRUE tells
PHP to tell the output layer to flush itself automatically after every
output block. This is equivalent to calling the PHP function flush()
after each and every call to print or echo and each and every HTML
block.
When using PHP within an web environment, turning this option on has
serious performance implications and is generally recommended for
debugging purposes only.
I read other responses and you keep insisting on the fact that your home environment and your work environment are the same. However, you can see that there is a difference. This point of view really help (at least to me) to investigate problems.
Since you did not provide many details about the problem, I would try the following checklist:
Settings
Is your PHP settings really identical? Try to compare results of phpinfo() on both environments.
Data
Do you really test your script on identical data? There are many subtle problems that are described in PHP manual:
Even the browser may buffer its input before displaying it. Netscape, for example, buffers text until it receives an end-of-line or the beginning of a tag, and it won't render tables until the tag of the outermost table is seen.
Some versions of Microsoft Internet Explorer will only start to display the page after they have received 256 bytes of output, so you may need to send extra whitespace before flushing to get those browsers to display the page.
http://php.net/manual/en/function.flush.php
or
http://www.php.net/manual/en/function.ob-flush.php#90529 (commenters point out many problems that you may experience)
Try dummy plaintext data instead of HTML. You may try to output simple lines like current time and check behaviour of your script.
Browsers
Try a few browsers (with cleared cache) to see if the issue is browser-specific or not.
I think it may be your browser. Have you cleaned the temporary settings of Iron Portable browser?
this occurs when you use gzip and there is some output have been send so the browser get confused to solve this , i uses this code always
if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== false)
{ob_start('ob_gzhandler'); ob_start();}
else
ob_start();
You have not mentioned about the versions of windows both the systems running. Are the systems completely identical?
You also said that you are running a portable version of XAMPP , if you are using a pen drive/thump drive there is a chance that data transfer speeds can vary due to USB speeds.
I had a similar issue where the First system had USB legacy ports and the second one I tested has usb 2+ ports or higher.
The speed and processing time changed based on the systems, while one system took 20 seconds , other took nearly 60 seconds to process.
The slow system produced undesired results [I was working on an image processor].
I guess your case is similar and had to do a lot with the system vitals.
Cheers
Clain
I figured out that the problem is with antivirus. I recently switched to Bitdefender from Avast. When I switched back to Avast, the problem disappeared miraculously. So, i guess antivirus is also a factor here.
I just installed xampp, so i can test my website offline. Now i get numerous Undefined index or Undefined variable errors, which i know how to fix. Now logging in works online but with xampp it doesn't work. The code isn't wrong. I imported the database online to offline. I've pin pointed what is wrong but don't know how to solve it.
here is the code where i test if the login details are correct.
$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';
$hashed_password = crypt($password, $Blowfish_Pre . $salt . $Blowfish_End);
//check to see if they match
if ($username==$dbusername&&$hashed_password==$dbpassword){
Offline the echoed $hashed_password for the account is $2a$05$CEDaiUETMOTuZ1tzSX1dW.1rmbYfiu1Hf6jnZyJ5DouQOIHEPwXiW
Online the echoed $hashed_password for the account is
$2J7rPSsTYb1Q
I've determined crypt is working differently online then it is offline? Why is this and how can i solve it?
crypt() uses different hash algorithm depending on what the system provides. Starting with PHP 5.3 it "contains its own implementation and will use that if the system lacks of support for one or more of the algorithms."
Your offline version does use blowfish as you can see at the start $2a$. Your online version does use some fallback.
See: http://php.net/manual/en/function.crypt.php
I am unable to comment..yet, so I place this answer in hope I can save some people some time.
I had the same question asked, and the chosen answer led me to the solution. But since it did not provide my ultimate solution, I thought I would share to save someone time.
My wamserver was PHP 5.38
my production server I found out was 5.2x
I simply asked them to upgrade me to the latest version, which was 5.4.22...and that solved the issue. The same code started kicking out 60 character hashes again.
So I would bet that if you have this same occurrence, upgrade the server acting up to the latest version of PHP or something over 5.3 and you should be good.
I have an old joomla installation which was hacked. All I know for now only index.php was changed and they messed with my user accounts. I downloaded index.php from the current version but at one point it calls $app->dispatch(); which requires a component name parameter in my version. Does anyone know what parameter this should be? I tried: null, 'home', 'application',...
Also I'm planning on updating to the newest version later, however I can't seem to find my current version number. I found somewhere that it is displayed in the admin pages but I can't access them yet. Can I find it in the code files somewhere?
EDIT: The index.php from version 1.5.22 worked. Apparently the correct version was 1.5.3. Does anyone know what else I should check that might have been hacked/messed with?
Why not get a copy of the version you used?
http://forum.joomla.org/viewtopic.php?p=2221953
You can go to the joomla project on
joomlacode.org, then select the search
tab. From there you type in "1.0.10"
and select Releases to search in. You
should get some results. Click on the
one you are searching for, the files
can be found on the files tab, this
time the tab is on a blue bar (more to
the bottom of the screen).
Although I'd recommend upgrading completely, to stop being re-hacked again.
====== Answer to second question
How big is the site? Usually if it's just a link spamming attack a quick once over will suffice.
The next issue is that you need to patch the hole that caused the problem, in this case upgrading to the latest Joomla (1.6 - I believe) is the first port of call.
Have you modifed the Joomla system in such a way that the hack could have been opened up by you?
My advice, reset the admin passwords and upgrade Joomla.
Very difficult to say anything else without seeing what the "hack" was.
I had to clean out a hacked Joomla install recently. My tip is to grep all the files base64_decode: some hacks consist of decoding a huge string that emits php.
find ./ | xargs grep base64_decode
The hack looked like this: error_reporting(0);eval(base64_decode('JGxMOXdGMWFZNHpY.....
This particular piece of code detected googlebot and other crawlers, and then emitted a list of spam links heavy on viagra. If a normal user agent string was used it showed a normal site. I had to use a firefox extension that changes the user agent to debug this.
The next step would be getting rid of the exploit and then either patching Joomla and waiting for the next exploit or switching to something more secure, like static html or a well-maintained CMS.
Fortunately Joomla has really nice documentation on how to recover from a hack. http://docs.joomla.org/Security_Checklist_7. As Pino mentioned, it is critical that you are always on the latest version to minimize your exposure to security exploits.
I think I may have found a bug in PHP's crypt() function under Windows.
However: I recognize that it's probably my fault. PHP is used by millions and worked on by thousands; my code is used by tens and worked on by me. (This argument is best explained on Coding Horror.)
So I'm asking for help: show me my fault. I've been trying to find it for a few days now, with no luck.
The setup
I'm using a Windows server installation with Apache 2.2.14 (Win32) and PHP 5.3.2. My development box runs Windows XP Professional; the 'production' server (this is an intranet setup) runs Windows Storage Server 2003. The problem happens on both.
I don't see anything in php.ini related to crypt(), but will happily answer questions about my config.
The problem
Several scripts in my PHP app occasionally hang: the page sits there on 'waiting for localhost' and never finishes. Each of these scripts uses crypt to hash a user's password before storing it in the database, or, in the case of the login page, to hash the entered password before comparing it to the version stored in the database.
Since the login page is the simplest, I focused on it for testing. I repeatedly logged in, and found that it would hang maybe 4 out of 10 times.
As an experiment, I changed the login page to use the plain text password and changed my password in the database to its plain text version. The page stopped hanging.
I saw that PHP's latest version lists this bugfix:
Fixed bug #51059 (crypt crashes when
invalid salt are [sic] given).
So I created a very simple test script, as follows, using the same salt given in an official example:
$foo = crypt('rasmuslerdorf','r1');
echo $foo;
This page, too, will hang, if I reload it like crazy. I only see it hanging in Chrome, but regardless of browser, the effect on Apache is the same.
Effect on Apache
When these pages hang, Apache's server-status page (which I explained here, regarding a different problem) increments the number of requests being processed and decrements the number of idle workers. The requests being processed almost all have a status of 'Sending Reply,' though sometimes for a moment they will show either 'Reading request' or 'keepalive (read).'
Eventually, Apache may crash. When it does, the Windows crash report looks like this:
szAppName: httpd.exe
szAppVer: 2.2.14.0
szModName: php5ts.dll
szModVer: 5.3.1.0 // OK, this report was before I upgraded to PHP 5.3.2,
// but that didn't fix it
offset: 00a2615
Is it my fault?
I'm tempted to file a bug report to PHP on this. The argument against it is, as stated above, that bugs are nearly always my fault.
However, my argument in favor of 'it's PHP's fault' is:
I'm using Windows, whereas most servers use Linux (I don't get to choose this), so the chances are greater that I've found an edge case
There was recently a bug with crypt(), so maybe it still has issues
I have made the simplest test case I can, and I still have the problem
Can anyone duplicate this? Can you suggest where I've gone wrong? Should I file the bug after all?
Thanks in advance for any help you may give.
The bugs 51059 (only about passing invalid inputs) or 50947 (not the same code, 5.3 has new algorithms and features implemented in php, on all platforms) are not related to this problem.
However http://bugs.php.net/bug.php?id=51424 is. I already posted a partial patch there, but it solves most of the possible locks but it is indeed not sufficient. A full fix will be present in the next 5.3 release.
By the way, it is not windows specific but about the threaded SAPI (windows apache 2.2 for example).
This question has now been viewed 128 times and upvoted 9 times. The only answer I've received says it's a bug, and points to one in the PHP bug database. I don't think it's exactly the same one, but it does seem to validate my diagnosis.
Therefore, with some hesitation, I have filed a bug report:
Bug #51666 - Using crypt() makes Apache hang or crash
Thanks to everyone who has looked at this with me - even if you didn't reply, just knowing that others were considering this with me, and not telling me I'm crazy, has been helpful.
Yes. It's a known bug,
http://bugs.php.net/bug.php?id=50947
You can simulate the crypt() result using mcrypt. If you can change your password hash, you should really use hash_hmac(), which is more secure and we have no issues with it On Apache. No experiences on Windows though.