[Owasp-board] Fwd: [phpsec] confidentialString function uses hard-coded key (#108)

johanna curiel curiel johanna.curiel at owasp.org
Wed Nov 25 15:51:03 UTC 2015

Some more comments from users...

---------- Forwarded message ----------
From: Katy Ereira <notifications at github.com>
Date: Fri, Nov 20, 2015 at 5:54 AM
Subject: Re: [phpsec] confidentialString function uses hard-coded key (#108)
To: OWASP/phpsec <phpsec at noreply.github.com>

Hi @rash805115 <https://github.com/rash805115> , I have some questions
based on what you have just said, then.

How, apart from editing the phpsec Encryption class manually, do you expect
users of the class to set their own key? It is a private variable, and
there is no method available to set it to anything other than what is
defined in the file itself. I don't see why you can't have a configuration
mechanism in a plug-and-play library, by the way, especially when you
/expect/ people to set their own key.

You use Laravel as an example of having a plaintext key in configuration
files; this is true - a plaintext key exists in the environment
configuration. This key is stored on the server outside of the public
realm, and is not defined by default. It essentially forces you to create
this key yourself on a per-environment basis. This is much more secure than
hard-coding a private key variable within an encryption class, which people
may or may not realise they need to edit!

Although nobody has been contributing to this project, it is nevertheless
sad to see that a project with a focus on securty is insecure itself, and
with the project still publicly available, no doubt people are still using
it. I feel that there is a duty to inform your users of the steps they
should take in order to secure this code themselves, even if that is just
by editing the class directly, as currently - and correct me if I am wrong
- there is no documentation that explains that this must be done.

I also agree that this project should be taken down, if it is not to be

Reply to this email directly or view it on GitHub
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151125/888ba430/attachment.html>

More information about the Owasp-board mailing list