| शीर्षक | opensourcepos Open Source Point of Sale 3.4.1 Weak Encoding for Password |
|---|
| विवरण | The system still accepts MD5 hashes for password verification, supporting legacy accounts. MD5 is cryptographically broken and unsuitable for password hashing. Attackers with rainbow tables can crack these passwords.
public function login(string $username, string $password): bool
{
$builder = $this->db->table('employees');
$query = $builder->getWhere(['username' => $username, 'deleted' => 0], 1);
if ($query->getNumRows() === 1) {
$row = $query->getRow();
// Compare passwords depending on the hash version
if ($row->hash_version === '1' && $row->password === md5($password)) { // VULNERABLE
$builder->where('person_id', $row->person_id);
$this->session->set('person_id', $row->person_id);
$password_hash = password_hash($password, PASSWORD_DEFAULT);
return $builder->update(['hash_version' => 2, 'password' => $password_hash]);
} elseif ($row->hash_version === '2' && password_verify($password, $row->password)) {
$this->session->set('person_id', $row->person_id);
return true;
}
}
It is recommended to migrate to SHA-256 or a stronger encryption algorithm. Also, recommended to use forced password resets for the already created accounts to ensure the credentals are rotated and latest eencryption is applied to the new credentials. |
|---|
| उपयोगकर्ता | Kamran Saifullah (UID 4218) |
|---|
| सबमिशन | 11/04/2026 12:20 AM (2 महीनों पहले) |
|---|
| संयम | 18/05/2026 06:38 AM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 364436 [opensourcepos Open Source Point of Sale तक 3.4.2 Employee Login app/Models/Employee.php login कमजोर एन्क्रिप्शन] |
|---|
| अंक | 17 |
|---|