Make WordPress Core

Opened 5 weeks ago

Last modified 5 weeks ago

#61258 new defect (bug)

class-phpass.php uses old '2a' prefix for crypt_blowfish hashes

Reported by: timrutter's profile timrutter Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: Security Keywords: has-patch
Focuses: Cc:


class-phpass.php currently uses the old '2a' prefix for crypt_blowfish hashes

Since PHP 5.3.7 (crypt_blowfish 1.2) the prefix of '2y' has been recommended.

The prefix '$2y$' is used to identify correctly computed hashes from the older potentially weak '$2a$' hashes from CVE-2011-2483

Attachments (1)

class-phpass.patch (1.7 KB) - added by timrutter 5 weeks ago.

Download all attachments as: .zip

Change History (2)

5 weeks ago


This ticket was mentioned in PR #6593 on WordPress/wordpress-develop by t-rutter.

5 weeks ago

Updated gensalt_blowfish() to use the prefix '$2y' for PHP versions 5.2.7 and later Added backwards compatible define for PHP_VERSION_ID Removed duplicate PHPDOC comment

Trac ticket:

Note: See TracTickets for help on using tickets.