Skip to content

Weak Cryptography - SHA1 for Password Hashing

Low
thorsten published GHSA-58fg-62fg-3fcj May 25, 2026

Package

composer phpmyfaq/phpmyfaq (Composer)

Affected versions

<= 4.1.3

Patched versions

4.1.4
composer thorsten/phpMyFAQ (Composer)
<= 4.1.3
4.1.4

Description

Summary

Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered).

Details

Affected File : phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php

image

Impact

  • An attacker can generate SHA-1 collisions to bypass attachment protection
  • Risk of password cracking if database is compromised
  • Estimated cracking time: < 1 minute for standard attachment

Solution

Use bcrypt:

public function setPassword(string $password): void
{
    $this->passwordHash = password_hash($password, PASSWORD_BCRYPT);
}

public function verifyPassword(string $plainPassword): bool
{
    return password_verify($plainPassword, $this->passwordHash);
}

Severity

Low

CVE ID

CVE-2026-48488

Weaknesses

Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). Learn more on MITRE.

Credits