CVE-2023-26855: Weak Salt Implementation · Issue #6449 · ChurchCRM/CRM

On what page in the application did you find this issue?

return hash('sha256’, $password . $this->getPersonId());

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?

Windows/xampp

What browser (and version) are you running?

Firefox

What version of PHP is the server running?

7.4.27

What version of SQL Server are you running?

7.4.27

What version of ChurchCRM are you running?

4.5.3

Weak Salt Implementation

The following report outlines a vulnerability found in the password storage system. The vulnerability arises from the use of a weak salt in the hashing algorithm, which could allow attackers to crack passwords more easily.

Vulnerable Code:

hash('sha256’, $password . $this->getPersonId());

Vulnerability Explanation:
The salt used in the hashing algorithm is generated by the $this->getPersonId() method. However, the method returns an integer value, which is not random or unique for each password. This makes the salt predictable and weak, and could allow attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.

Impact:
The vulnerability could allow an attacker to crack passwords more easily, which could result in unauthorized access to user accounts and sensitive information.

Recommendation:
To address this vulnerability, it is recommended to use a more secure and unpredictable salt for each password, such as a random value generated for each password. This will make it more difficult for attackers to crack hashed passwords using precomputed hash tables or dictionary attacks.