Make WordPress Core

Opened 6 months ago

#59824 new defect (bug)

PHP Warning raised in pluggable.php when passing NULL instead of a string

Reported by: budiony's profile budiony Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.3.3
Component: Security Keywords: needs-patch
Focuses: administration, privacy Cc:


The error message is related to the hash_equals(): Expected known_string to be a string, null given in /var/www/../wp-includes/pluggable.php on line 2577

Hackers often pass NULL when attempting to trigger a leaked server warning message while accessing wp-login.php. This can be easily fixed by introducing type checking in pluggable.php:

function wp_check_password( $password, $hash, $user_id = '' ) {
		global $wp_hasher;

		// If the hash is still md5...
		if (is_string($hash) && strlen( $hash ) <= 32 ) {
			$check = hash_equals( $hash, md5( $password ) ); //$hash is the **known_string** and it must be of type string
//The rest of the function

Change History (0)

Note: See TracTickets for help on using tickets.