October 2004
Mon Tue Wed Thu Fri Sat Sun
<<  <   >  >>
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31


powered by

Valid XHTML 1.0!


03:06:07 pm, Categories: Bad Architecture, 174 words  

Why use MD5 when you got MD4?

Okay before we get deeper into this craziness I would like to remind people that MD5() has been available since php3. Plus MD5 is way more secure than MD4... so I introduce you to today's PHP WTF.

  function getMd4Pwd($pwd) {
    $pwd = trim($pwd);
    if (strlen($pwd) <= 0)
      return "";
    $strCmd = "/usr/local/bin/md4sum ".$pwd;
    return strtoupper($arrOut[0]);

But wait! It gets worse... not only are they not using md5(), they execute a shell script to get an MD4 hash! Really you can't make this stuff up...

And what is /usr/local/bin/md4sum you may ask? Well let me show you...

#!/usr/bin/perl -w
use Digest::MD4;
use Unicode::String qw( utf8 );
Unicode::String->stringify_as( "utf16" );
$u8 = utf8( shift );
print Digest::MD4->hexhash($u8->byteswap), "\n";

So we have a PHP script that calls a Perl script to generate an obsolete, insecure MD4 hash. Not only that but Perl doesn't even have MD4 by default, you have explicitly install it. Um...WTF?!

Trackback address for this post:


Comments, Trackbacks, Pingbacks:

No Comments/Trackbacks/Pingbacks for this post yet...

Leave a comment:

Your email address will not be displayed on this site.
Your URL will be displayed.
Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, a, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>
URLs, email, AIM and ICQs will be converted automatically.
(Line breaks become <br />)
(Set cookies for name, email & url)