πŸ›[BUG] - Concrete5 8.3.2 +(8.4.1) and PhP v7.2, mcrypt not longer supported!

Permalink 1 user found helpful
⚠ Hello,

On the Concrete5 "System Requirements" page:
https://documentation.concrete5.org/developers/installation/system-r...
I do see that the php extension Mcrypt for concrete5 8.x.x is required.
Is this een BUG by design?

Mcrypt for Php v7.2 and higher is deprecated and not longer in the core:
http://php.net/manual/en/migration71.deprecated.php...

Will the mcrypt be removed/replaced in future Concrete5 versions?

.

CMSDeveloper
View Replies: View Best Answer
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
⚠ It is also a shame that auto-installers like Installatron only supports Concrete5 up to version v8.1.0:
https://installatron.com/concrete?s=7a1e93e3cd207d9e54bc705e84ba8681...

Softaculous supports up to the latest Concrete5 version v8.3.2, but fails installing when php 7.2.x is used with a missing Mcrypt error.
https://www.softaculous.com/softaculous/apps/cms/Concrete5...

Softaculous installation Mcrypt error:
https://i.imgur.com/IeUEqCs.png...

Installatron installation Mcrypt error:
https://i.imgur.com/3jfTeUi.png...

PHP Version 7.2.3: phpinfo()
https://i.imgur.com/LwSdiWt.png...

.
mnakalay replied on at Permalink Reply
mnakalay
Concrete5 only uses Mcrypt in one instance and first checks if it is available.

If it is available, it is used to encrypt/decrypt a string. If it's not available it just returns the plain unencrypted string. This should never throw an error whether mcrypt is available or not.
CMSDeveloper replied on at Permalink Best Answer Reply
CMSDeveloper
⚠ Did see errors occur when the webserver is Litespeed with a compiled PHP LSAPI - OpenSSL.
https://www.litespeedtech.com/open-source/litespeed-sapi/php/...

This combination gives the Mcrypt is missing error and the Concrete5 openssl fallthrough does not detect the openssl. Burb: md5 as last resort :(

.
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
⚠ Question:

With C5 installation:
When Mcrypt and OpenSSL fails, the used installation password is encrypted using MD5?

Ifso, this is a security issue.

The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.

Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities as detailed in the security section below.

MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4.[3] The source code in RFC 1321 contains a "by attribution" RSA license. The abbreviation "MD" stands for "Message Digest."
More:
https://en.wikipedia.org/wiki/MD5...
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
⚠ This problem remains in c5 v832
typoman76 replied on at Permalink Reply
typoman76
In my opinion you should open an issue on github for this.
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
⚠ I am not on github (anymore)..
If the C5 Team ignores this, than they missing potential new users/clients.


.
mnakalay replied on at Permalink Reply
mnakalay
I posted on Github to notify them of the problem with reference to this post. Thank you for bringing it up.
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
⚠ Do you have a link?
Cannot find this this issue on Github:

https://github.com/concrete5/concrete5/search?utf8=%E2%9C%93&q=i...

https://i.imgur.com/08R4UDQ.png...
mnakalay replied on at Permalink Reply
mnakalay
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
@mnakalay Hey, thanks for the responds / links.
I am happy it's on the radar. Pfhhhh...
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
⚠ Hello, is this issue fixed in v8.4.0?

?
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
⚠Can't find anything in the release notes:

https://documentation.concrete5.org/developers/background/version-hi...
mnakalay replied on at Permalink Reply
mnakalay
It hasn't be taken care of yet but the conversation is going on. I think a solution might have been selected (it has to be backward compatible which is not that easy).

My understanding is it will be addressed in version 9.
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
Any release date for Concrete5 v5.0?
I do can(/will) not install Concrete5 8.4.1+ now, with this (security) issues still not *solved.
This is taken to long :-(

*https://www.concrete5.org/community/forums/installation/bugand128027-concrete5-php-v7.2-mcrypt-not-longer-supported/#926404