🐛[BUG] - Concrete5 8.3.2 and PhP v7.2, mcrypt not longer supported!

Permalink 1 user found helpful
⚠ Hello,

On the Concrete5 "System Requirements" page:
I do see that the php extension Mcrypt for concrete5 8.x.x is required.
Is this een BUG by design?

Mcrypt for Php v7.2 and higher is deprecated and not longer in the core:

Will the mcrypt be removed/replaced in future Concrete5 versions?


View Replies: View Best Answer
CMSDeveloper replied on at Permalink Reply
⚠ It is also a shame that auto-installers like Installatron only supports Concrete5 up to version v8.1.0:

Softaculous supports up to the latest Concrete5 version v8.3.2, but fails installing when php 7.2.x is used with a missing Mcrypt error.

Softaculous installation Mcrypt error:

Installatron installation Mcrypt error:

PHP Version 7.2.3: phpinfo()

mnakalay replied on at Permalink Reply
Concrete5 only uses Mcrypt in one instance and first checks if it is available.

If it is available, it is used to encrypt/decrypt a string. If it's not available it just returns the plain unencrypted string. This should never throw an error whether mcrypt is available or not.
CMSDeveloper replied on at Permalink Best Answer Reply
⚠ Did see errors occur when the webserver is Litespeed with a compiled PHP LSAPI - OpenSSL.

This combination gives the Mcrypt is missing error and the Concrete5 openssl fallthrough does not detect the openssl. Burb: md5 as last resort :(

CMSDeveloper replied on at Permalink Reply
⚠ Question:

With C5 installation:
When Mcrypt and OpenSSL fails, the used installation password is encrypted using MD5?

Ifso, this is a security issue.

The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.

Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities as detailed in the security section below.

MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4.[3] The source code in RFC 1321 contains a "by attribution" RSA license. The abbreviation "MD" stands for "Message Digest."
CMSDeveloper replied on at Permalink Reply
⚠ This problem remains in c5 v832
typoman76 replied on at Permalink Reply
In my opinion you should open an issue on github for this.
CMSDeveloper replied on at Permalink Reply
⚠ I am not on github (anymore)..
If the C5 Team ignores this, than they missing potential new users/clients.

mnakalay replied on at Permalink Reply
I posted on Github to notify them of the problem with reference to this post. Thank you for bringing it up.