[wp-trac] [WordPress Trac] #63457: WordPress 6.8 will fail creating bcrypt when entropy sources are not available
WordPress Trac
noreply at wordpress.org
Sun May 18 12:57:54 UTC 2025
#63457: WordPress 6.8 will fail creating bcrypt when entropy sources are not
available
-------------------------------+------------------------------
Reporter: isgroup | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.8
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by isgroup):
Hi @johnbillion@, thanks for your reply. It's an edge case but MAY happen.
- What is the use case for running a system where /dev/urandom is not
available? What is the source of randomness in this case?
Chrooted PHP-FPM with no access to /dev/ for example, but could occur also
when the entropy pool is exhausted. So it would be better to check if
password_hash() or underlying functions emit warnings or errors in order
to have a more deterministic behavior.
Another method would be to check if the generated hash has the correct
format (eg. check for length).
- Which version of PHP are you using?
From my understanding this could happen interdependently from PHP version,
7.4 onward.
To reproduce simply create a docker and chmod /dev/urandom so that PHP
can't access it. Old password methods will work (eg.: $P$) but the newer
method will emit a warning a put ONLY "$wp" in the field.
Regardless, my observations are that login fails, so I can't say it's an
authentication bypass, but maybe more experienced WP developers have a
different take on this matter. That's why I marked the ticket as User and
not Security.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63457#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list