Opened 6 months ago
#59824 new defect (bug)
PHP Warning raised in pluggable.php when passing NULL instead of a string
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 6.3.3 |
| Component: | Security | Keywords: | needs-patch |
| Focuses: | administration, privacy | Cc: |
Description
The error message is related to the hash_equals(): Expected known_string to be a string, null given in /var/www/../wp-includes/pluggable.php on line 2577
Hackers often pass NULL when attempting to trigger a leaked server warning message while accessing wp-login.php. This can be easily fixed by introducing type checking in pluggable.php:
function wp_check_password( $password, $hash, $user_id = '' ) {
global $wp_hasher;
// If the hash is still md5...
if (is_string($hash) && strlen( $hash ) <= 32 ) {
$check = hash_equals( $hash, md5( $password ) ); //$hash is the **known_string** and it must be of type string
//The rest of the function
Note: See
TracTickets for help on using
tickets.