Summary
Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered).
Details
Affected File : phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php

Impact
- An attacker can generate SHA-1 collisions to bypass attachment protection
- Risk of password cracking if database is compromised
- Estimated cracking time: < 1 minute for standard attachment
Solution
Use bcrypt:
public function setPassword(string $password): void
{
$this->passwordHash = password_hash($password, PASSWORD_BCRYPT);
}
public function verifyPassword(string $plainPassword): bool
{
return password_verify($plainPassword, $this->passwordHash);
}
References
Summary
Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered).
Details
Affected File :
phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.phpImpact
Solution
Use bcrypt:
References