π[BUG] - Concrete5 8.3.2 +(8.4.1) and PhP v7.2, mcrypt not longer supported!
Permalink 1 user found helpful
β Hello,
On the Concrete5 "System Requirements" page:
https://documentation.concrete5.org/developers/installation/system-r...
I do see that the php extension Mcrypt for concrete5 8.x.x is required.
Is this een BUG by design?
Mcrypt for Php v7.2 and higher is deprecated and not longer in the core:
http://php.net/manual/en/migration71.deprecated.php...
Will the mcrypt be removed/replaced in future Concrete5 versions?
.
On the Concrete5 "System Requirements" page:
https://documentation.concrete5.org/developers/installation/system-r...
I do see that the php extension Mcrypt for concrete5 8.x.x is required.
Is this een BUG by design?
Mcrypt for Php v7.2 and higher is deprecated and not longer in the core:
http://php.net/manual/en/migration71.deprecated.php...
Will the mcrypt be removed/replaced in future Concrete5 versions?
.
Concrete5 only uses Mcrypt in one instance and first checks if it is available.
If it is available, it is used to encrypt/decrypt a string. If it's not available it just returns the plain unencrypted string. This should never throw an error whether mcrypt is available or not.
If it is available, it is used to encrypt/decrypt a string. If it's not available it just returns the plain unencrypted string. This should never throw an error whether mcrypt is available or not.
β Did see errors occur when the webserver is Litespeed with a compiled PHP LSAPI - OpenSSL.
https://www.litespeedtech.com/open-source/litespeed-sapi/php/...
This combination gives the Mcrypt is missing error and the Concrete5 openssl fallthrough does not detect the openssl. Burb: md5 as last resort :(
.
https://www.litespeedtech.com/open-source/litespeed-sapi/php/...
This combination gives the Mcrypt is missing error and the Concrete5 openssl fallthrough does not detect the openssl. Burb: md5 as last resort :(
.
β Question:
With C5 installation:
When Mcrypt and OpenSSL fails, the used installation password is encrypted using MD5?
Ifso, this is a security issue.
The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.
Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities as detailed in the security section below.
MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4.[3] The source code in RFC 1321 contains a "by attribution" RSA license. The abbreviation "MD" stands for "Message Digest."
More:
https://en.wikipedia.org/wiki/MD5...
With C5 installation:
When Mcrypt and OpenSSL fails, the used installation password is encrypted using MD5?
Ifso, this is a security issue.
The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.
Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities as detailed in the security section below.
MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4.[3] The source code in RFC 1321 contains a "by attribution" RSA license. The abbreviation "MD" stands for "Message Digest."
More:
https://en.wikipedia.org/wiki/MD5...
β This problem remains in c5 v832
In my opinion you should open an issue on github for this.
β I am not on github (anymore)..
If the C5 Team ignores this, than they missing potential new users/clients.
.
If the C5 Team ignores this, than they missing potential new users/clients.
.
I posted on Github to notify them of the problem with reference to this post. Thank you for bringing it up.
β Do you have a link?
Cannot find this this issue on Github:
https://github.com/concrete5/concrete5/search?utf8=%E2%9C%93&q=i...
https://i.imgur.com/08R4UDQ.png...
Cannot find this this issue on Github:
https://github.com/concrete5/concrete5/search?utf8=%E2%9C%93&q=i...
https://i.imgur.com/08R4UDQ.png...
@mnakalay Hey, thanks for the responds / links.
I am happy it's on the radar. Pfhhhh...
I am happy it's on the radar. Pfhhhh...
β Hello, is this issue fixed in v8.4.0?
?
?
β Can't find anything in the release notes:
https://documentation.concrete5.org/developers/background/version-hi...
https://documentation.concrete5.org/developers/background/version-hi...
It hasn't be taken care of yet but the conversation is going on. I think a solution might have been selected (it has to be backward compatible which is not that easy).
My understanding is it will be addressed in version 9.
My understanding is it will be addressed in version 9.
Any release date for Concrete5 v5.0?
I do can(/will) not install Concrete5 8.4.1+ now, with this (security) issues still not *solved.
This is taken to long :-(
*https://www.concrete5.org/community/forums/installation/bugand128027-concrete5-php-v7.2-mcrypt-not-longer-supported/#926404
I do can(/will) not install Concrete5 8.4.1+ now, with this (security) issues still not *solved.
This is taken to long :-(
*https://www.concrete5.org/community/forums/installation/bugand128027-concrete5-php-v7.2-mcrypt-not-longer-supported/#926404
β This problem still there, in Concrete5 V 8.4.4
Why can they not fix this? I've been wanting to use Concrete5 for new clients, and for my own site, but can't because of this issue. It looks like the issue has been around for a very long time.
I've tried installing C5 8.4.4 manually, but it always ends up with no way to access the install or configuration screen once I'm done. I get a 505 error.
Is there a reliable guide for installing manually? The ones I've seen on Youtube all fail.
I've tried installing C5 8.4.4 manually, but it always ends up with no way to access the install or configuration screen once I'm done. I get a 505 error.
Is there a reliable guide for installing manually? The ones I've seen on Youtube all fail.
Read this on Github, noob solution...ZZzzzzzzzz...
https://github.com/concrete5/concrete5/issues/6588...
https://github.com/concrete5/concrete5/issues/6588...
https://installatron.com/concrete?s=7a1e93e3cd207d9e54bc705e84ba8681...
Softaculous supports up to the latest Concrete5 version v8.3.2, but fails installing when php 7.2.x is used with a missing Mcrypt error.
https://www.softaculous.com/softaculous/apps/cms/Concrete5...
Softaculous installation Mcrypt error:
https://i.imgur.com/IeUEqCs.png...
Installatron installation Mcrypt error:
https://i.imgur.com/3jfTeUi.png...
PHP Version 7.2.3: phpinfo()
https://i.imgur.com/LwSdiWt.png...
.