Mon | Tue | Wed | Thu | Fri | Sat | Sun |
---|---|---|---|---|---|---|
<< < | > >> | |||||
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 | 31 |
Okay before we get deeper into this craziness I would like to remind people that MD5() has been available since php3. Plus MD5 is way more secure than MD4... so I introduce you to today's PHP WTF.
<?php
function getMd4Pwd($pwd) {
$pwd = trim($pwd);
if (strlen($pwd) <= 0)
return "";
unset($arrOut);
$strCmd = "/usr/local/bin/md4sum ".$pwd;
exec($strCmd,$arrOut);
return strtoupper($arrOut[0]);
}
?>
But wait! It gets worse... not only are they not using md5(), they execute a shell script to get an MD4 hash! Really you can't make this stuff up...
And what is /usr/local/bin/md4sum you may ask? Well let me show you...
#!/usr/bin/perl -w
use Digest::MD4;
use Unicode::String qw( utf8 );
Unicode::String->stringify_as( "utf16" );
$u8 = utf8( shift );
print Digest::MD4->hexhash($u8->byteswap), "\n";
So we have a PHP script that calls a Perl script to generate an obsolete, insecure MD4 hash. Not only that but Perl doesn't even have MD4 by default, you have explicitly install it. Um...WTF?!
http://thephpwtf.com/htsrv/trackback.php?tb_id=31
No Comments/Trackbacks/Pingbacks for this post yet...