PHP password_verify() Validation Error Vulnerability (CVE-2023-0567)
The PHP password_verify() function suffers a validation error vulnerability in certain versions where a "$" character in the BCrypt salt triggers a buffer over‑read, allowing any password to be accepted as valid and potentially enabling password‑less logins.
In PHP, the password_verify() function is used to verify whether a password matches a stored hash.
A validation‑error vulnerability exists in affected versions: if the BCrypt hash’s salt part contains a $ character, the function triggers a buffer over‑read, causing any password to be treated as valid.
When BCrypt hashes are stored in a database, this flaw allows an attacker to log into the application without knowing the actual password.
Vulnerability Name
PHP password_verify() Validation Error Vulnerability
Vulnerability Type
Improper Input Validation
Discovery Date
2023-03-01
Impact Scope
Wide
MPS ID
MPS-2023-3075
CVE ID
CVE-2023-0567
CNVD ID
-
Impact Scope
php@[8.0.x, 8.0.28)
php@[8.1.x, 8.1.16)
php@[8.2.x, 8.2.3)
Remediation
Upgrade PHP to version 8.0.28, 8.1.16, 8.2.3 or later.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.