Full Disclosure mailing list archives



Hilariously Bad SQRL Implementation

If any of you are familiar with Stephen Gibson's SQRL protocol for user authentication (really neat idea), you might have come across this PHP implementation before: https://github.com/geir54/php-sqrl Unfortunately, this library is actually pretty terrible. Not only does it pass all of the data off to a Heroku app to perform the signature verification, it is also vulnerable to SQL Injection: https://github.com/geir54/php-sqrl/blob/0fa574520a1843a33a84c3985f934e84af6f2042/sqrl_verify.php#L39-59 I thought about submitting a pull request to fix this, but I don't believe there is honestly much here to salvage. So, I'm writing my own implementation here: https://github.com/darkitecht/php-sqrl <- Not ready, at all, for even beta testing. P.S. Also, it uses mt_rand() for challenge generation in a crypto library. Tsk tsk. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

By Date By Thread

Current thread: