Why use MD5 when you got MD4?
Submitted by phrax on Tue, 2004-10-05 14:56.
Hall of Fame | Bad Architecture
Okay before we get deeper into this craziness I would like to remind people that MD5() has been available since php3. Plus MD5 is way more secure than MD4... so I introduce you to today's PHP WTF.
<?php
function getMd4Pwd($pwd) {
$pwd = trim($pwd);
if (strlen($pwd) <= 0)
return "";
unset($arrOut);
<em><strong>$strCmd = "/usr/local/bin/md4sum ".$pwd;</strong></em>
exec($strCmd,$arrOut);
return strtoupper($arrOut[0]);
}
?>
But wait! It gets worse... not only are they not using md5(), they execute a shell script to get an MD4 hash! Really you can't make this stuff up...
And what is /usr/local/bin/md4sum you may ask? Well let me show you...
#!/usr/bin/perl -w use Digest::MD4; use Unicode::String qw( utf8 ); Unicode::String->stringify_as( "utf16" ); $u8 = utf8( shift ); print Digest::MD4->hexhash($u8->byteswap), "\n";
So we have a PHP script that calls a Perl script to generate an obsolete, insecure MD4 hash. Not only that but Perl doesn't even have MD4 by default, you have explicitly install it. Um...WTF?!