GHSA-58fg-62fg-3fcj
phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
Details
### Summary
Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered).
### Details
**Affected File** : `phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php`
<img width="810" height="427" alt="image" src="https://github.com/user-attachments/assets/6499a008-3ece-4291-8296-f1d3303ba35c" />
### Impact
- An attacker can generate SHA-1 collisions to bypass attachment protection - Risk of password cracking if database is compromised - Estimated cracking time: < 1 minute for standard attachment
### Solution
**Use bcrypt:**
``` public function setPassword(string $password): void { $this->passwordHash = password_hash($password, PASSWORD_BCRYPT); }
public function verifyPassword(string $plainPassword): bool { return password_verify($plainPassword, $this->passwordHash); } ```
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.1.4 composer require thorsten/phpmyfaq:^4.1.4 0 Fixed in: 4.1.4 composer require phpmyfaq/phpmyfaq:^4.1.4