PHP

PHP

Made by DeepSource

Audit required: Use of an insecure cipher PHP-A1007

Security
Critical
a02 cwe-327 sans top 25 owasp top 10 cwe-331

Cipher algorithm used to encrypt data is not strong. Using weak cipher algorithm such as RC2, RC4, DES, MD5, etc. for encrypting sensitive data can be vulnerable to several attacks.

In past it has led to the following vulnerabilities:

It is recommended to use robust and secure cipher such as AES to encrypt data.

Bad practice

// sensitive: vulnerable to several attacks (refer: https://en.wikipedia.org/wiki/RC4#Security)
$encryptedData = openssl_encrypt($data, "rc4", $key, $options = OPENSSL_RAW_DATA, $iv);

Recommended

$encryptedData = openssl_encrypt($data, "aes256", $key, $options = OPENSSL_RAW_DATA, $iv);

References