Opened 11 months ago
#59824 new defect (bug)
PHP Warning raised in pluggable.php when passing NULL instead of a string
Reported by: | budiony | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.3.3 |
Component: | Security | Keywords: | needs-patch |
Focuses: | administration, privacy | Cc: |
Description
The error message is related to the hash_equals(): Expected known_string to be a string, null given in /var/www/../wp-includes/pluggable.php on line 2577
Hackers often pass NULL when attempting to trigger a leaked server warning message while accessing wp-login.php. This can be easily fixed by introducing type checking in pluggable.php:
function wp_check_password( $password, $hash, $user_id = '' ) { global $wp_hasher; // If the hash is still md5... if (is_string($hash) && strlen( $hash ) <= 32 ) { $check = hash_equals( $hash, md5( $password ) ); //$hash is the **known_string** and it must be of type string //The rest of the function
Note: See
TracTickets for help on using
tickets.