Why would any sane rational human being implement something from Gibson? I still remember him saying how implementing raw sockets in Windows XP will totally and utterly destroy the entire internet. I would implement time proven solutions based on real world testing not an experimental solution from a rather dubious source.
I suppose, as an interesting side project, it might be interesting to explore but for production, I wouldn't touch with a million foot stick. On Sun, Aug 17, 2014 at 8:22 PM, Scott Arciszewski <kobrasre...@gmail.com> wrote: > If any of you are familiar with Stephen Gibson's SQRL protocol for user > authentication (really neat idea), you might have come across this PHP > implementation before: https://github.com/geir54/php-sqrl > > Unfortunately, this library is actually pretty terrible. Not only does it > pass all of the data off to a Heroku app to perform the signature > verification, it is also vulnerable to SQL Injection: > > https://github.com/geir54/php-sqrl/blob/0fa574520a1843a33a84c3985f934e84af6f2042/sqrl_verify.php#L39-59 > > I thought about submitting a pull request to fix this, but I don't believe > there is honestly much here to salvage. So, I'm writing my own > implementation here: > > https://github.com/darkitecht/php-sqrl <- Not ready, at all, for even beta > testing. > > P.S. Also, it uses mt_rand() for challenge generation in a crypto library. > Tsk tsk. > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
