[wp-trac] [WordPress Trac] #59824: PHP Warning raised in pluggable.php when passing NULL instead of a string
WordPress Trac
noreply at wordpress.org
Tue Nov 7 07:53:49 UTC 2023
#59824: PHP Warning raised in pluggable.php when passing NULL instead of a string
-------------------------------------+-----------------------------
Reporter: budiony | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.3.3
Severity: normal | Keywords: needs-patch
Focuses: administration, privacy |
-------------------------------------+-----------------------------
The error message is related to the **hash_equals()**: Expected
''known_string'' to be a string, ''null'' given in /var/www/../wp-
includes/pluggable.php on line 2577
Hackers often pass NULL when attempting to trigger a leaked server warning
message while accessing **wp-login.php**. This can be easily fixed by
introducing type checking in pluggable.php:
{{{
function wp_check_password( $password, $hash, $user_id = '' ) {
global $wp_hasher;
// If the hash is still md5...
if (is_string($hash) && strlen( $hash ) <= 32 ) {
$check = hash_equals( $hash, md5( $password ) );
//$hash is the **known_string** and it must be of type string
//The rest of the function
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59824>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list