And I thought sfDoctrineGuardPlugin was bad…

By laurentb | Published: 2010-04-03

Update: You can safely ignore this angry rant as the issues have been fixed.

I am speechless. While doAuthPlugin looks interesting (especially because it uses inheritance and not some silly secondary Profile table), on the topic of security it is worse than sfDoctrineGuardPlugin.

Let’s have a quick look at doAuthTools.

  public static function rememberHash(User $user) {
    return md5($user->getId().'-'.$user->getUsername().substr($user->getPassword(),0,5));
  }

There’s the use of md5, which doesn’t doesn’t resist long to rainbow tables attacks nowadays, but the worst is what is used. No random data at all, no salt.
The user id is most of the time public, the username almost always is, and for absolutely no reason only the first five characters of the password are used.

  public static function activationCode(User $user) {
    return md5($user->getCreatedAt().time().$user->getUsername().substr($user->getUsername(),0,5));
  }

created_at is easy to guess, time() is easy to guess and the rest is public. Again, what’s with the use of substr()? I would also guess the author wanted to use the password and not the username.

  public static function generatePassword() {
    return substr(md5(rand(1000,9999).time()),0,8);
  }

Now this is just sad. Sure, even with the use of a-f0-9 there is still 16^8 possible passwords, but why not spend a little time and try to use all the available letters? It also means that if you know the user id and username, you know you only have 16^5 rememberHashes to brute-force, which is easily doable.

We’ve already seen that using rand() is bad, but restricting it is even worse. Why on earth? To sum up, the password is constructed from a poor random algorithm with under 9000 possible values, and an easily predictable timestamp.

Frightening.

This entry was posted in PHP, Symfony and tagged , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

3 Comments

  1. Davert
    Posted 2010-04-03 at 2201 | Permalink
    Opera 10.51 Opera 10.51 Windows 7 Windows 7
    Thanks to your comments. Sure, that’s the weak part. Plugin is beta, so all feedback is very useful. I have updated the plugin on your notes.

    http://github.com/DavertMik/doAuthPlugin/blob/master/lib/doAuthTools.class.php

    Please contact me by email, If you find out that it is a bullshit anyway :) We can discuss the better principles. Also, you can make a fork on Github and provide your implementations.

    Thank you

  2. Laurent
    Posted 2010-04-03 at 2212 | Permalink
    Firefox 3.6.2 Firefox 3.6.2 Gentoo x64 Gentoo x64
    Thank you for being so reactive. I realize I should have contacted you, but I was feeling grumpy today. Anyway, I’m following your plugin with great interest!

    I’ll check on it later.

  3. Davert
    Posted 2010-04-03 at 2231 | Permalink
    Opera 10.51 Opera 10.51 Windows 7 Windows 7
    Yep, reading your old post, about criticism on sfDoctrineGuard. You know, I have idea about the seed of rand generators, some C++ experience is student years. But I was totally drown in my work, to concentrate on this codes generation issues.

    I have updated documentation too.

    First day after publishing by plugin. I think that’s great that you are following it :)

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*