| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
| << < | > >> | |||||
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Archives
- October 2004 (1)
- September 2004 (4)
- more...
Categories
10/05/04
03:06:07 pm, Categories: Bad Architecture, 174 words
Why use MD5 when you got MD4?
Okay before we get deeper into this craziness I would like to remind people that MD5() has been available since php3. Plus MD5 is way more secure than MD4... so I introduce you to today's PHP WTF.
<?php
function getMd4Pwd($pwd) {
$pwd = trim($pwd);
if (strlen($pwd) <= 0)
return "";
unset($arrOut);
$strCmd = "/usr/local/bin/md4sum ".$pwd;
exec($strCmd,$arrOut);
return strtoupper($arrOut[0]);
}
?>But wait! It gets worse... not only are they not using md5(), they execute a shell script to get an MD4 hash! Really you can't make this stuff up...
And what is /usr/local/bin/md4sum you may ask? Well let me show you...
#!/usr/bin/perl -w
use Digest::MD4;
use Unicode::String qw( utf8 );
Unicode::String->stringify_as( "utf16" );
$u8 = utf8( shift );
print Digest::MD4->hexhash($u8->byteswap), "\n";
So we have a PHP script that calls a Perl script to generate an obsolete, insecure MD4 hash. Not only that but Perl doesn't even have MD4 by default, you have explicitly install it. Um...WTF?!
Trackback address for this post:
http://thephpwtf.com/htsrv/trackback.php?tb_id=31
Comments, Trackbacks, Pingbacks:
No Comments/Trackbacks/Pingbacks for this post yet...
Leave a comment: