From:             ungdi at hotmail dot com
Operating system: Windows Server 2003
PHP version:      5.0.3
PHP Bug Type:     OpenSSL related
Bug description:  openssl_pkcs7_encrypt(), data interception is too easy

Description:
------------
Currently, the openssl_pkcs7_encrypt() function as according to the
documentation here:
http://www.php.net/manual/en/function.openssl-pkcs7-encrypt.php

Requires that the unencrypted input be a file already on the file system.
This forces any PHP program having to output any form submission contents
(destined to be an encrypted S/MIME e-mail) into the file system before
encryption. After encryption is complete, it will be necessary to delete
the file from the disk.

This method makes it trivial to recover the unencrypted information from
the file on the disk through an undelete command or access of the drive
data. Also, this causes the function to expose the unencrypted data on the
disk to the whole system temporarily. During this window where the data is
being encrypted, after the unencrypted data has been written to a file, it
allows other programs or users to access the file and its unencrypted
contents making it trivial to intercept the data being encrypted.

The function should be made to allow a string/data to be passed directly
to the function without going through the file system. By allowing direct
passing of the string to be encrypted to the openssl_pkcs7_encrypt()
function, this decreases the surface area (possibility) and time frame in
which someone can recover/access the unencrypted information.

Reproduce code:
---------------
Not applicable.

Expected result:
----------------
Not applicable.

Actual result:
--------------
Not applicable.

-- 
Edit bug report at http://bugs.php.net/?id=31945&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=31945&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=31945&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=31945&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=31945&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=31945&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=31945&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=31945&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=31945&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=31945&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=31945&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=31945&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=31945&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=31945&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=31945&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=31945&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=31945&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=31945&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=31945&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=31945&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=31945&r=mysqlcfg

Reply via email to