BestHub
Sign in
Information Security 2 min read

PHP password_verify() Validation Error Vulnerability (CVE-2023-0567)

The PHP password_verify() function suffers a validation error vulnerability in certain versions where a "$" character in the BCrypt salt triggers a buffer over‑read, allowing any password to be accepted as valid and potentially enabling password‑less logins.

Laravel Tech Community
Laravel Tech Community
Laravel Tech Community
PHP password_verify() Validation Error Vulnerability (CVE-2023-0567)

In PHP, the password_verify() function is used to verify whether a password matches a stored hash.

A validation‑error vulnerability exists in affected versions: if the BCrypt hash’s salt part contains a $ character, the function triggers a buffer over‑read, causing any password to be treated as valid.

When BCrypt hashes are stored in a database, this flaw allows an attacker to log into the application without knowing the actual password.

Vulnerability Name

PHP password_verify() Validation Error Vulnerability

Vulnerability Type

Improper Input Validation

Discovery Date

2023-03-01

Impact Scope

Wide

MPS ID

MPS-2023-3075

CVE ID

CVE-2023-0567

CNVD ID

-

Impact Scope

php@[8.0.x, 8.0.28)

php@[8.1.x, 8.1.16)

php@[8.2.x, 8.2.3)

Remediation

Upgrade PHP to version 8.0.28, 8.1.16, 8.2.3 or later.

PHPinformation securityPatchvulnerabilitybcryptcve-2023-0567password_verify
Laravel Tech Community
Written by

Laravel Tech Community

Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment