Insecure cipher algorithm
MCRYPT_DES
found 79 $b = $s . ((substr_count($s, "1") % 2) ? "0" : "1");
80 $key .= chr(bindec($b));
81 }
82 $ciphertext = mcrypt_encrypt(MCRYPT_DES, $key, $challenge, MCRYPT_MODE_ECB, $iv); 83 $response .= $ciphertext;
84 }
85 return $response;
Description
Cipher algorithm used to encrypt data is not strong. Using weak cipher algorithm such as RC2, RC4, DES, MD5, etc. for encrypting sensitive data can be vulnerable to several attacks.
In past it has led to the following vulnerabilities:
It is recommended to use robust and secure cipher such as AES to encrypt data.
Bad practice
// sensitive: vulnerable to several attacks (refer: https://en.wikipedia.org/wiki/RC4#Security)
$encryptedData = openssl_encrypt($data, "rc4", $key, $options = OPENSSL_RAW_DATA, $iv);
Recommended
$encryptedData = openssl_encrypt($data, "aes256", $key, $options = OPENSSL_RAW_DATA, $iv);