🐛[BUG] - Concrete5 8.3.2 +(8.4.1) and PhP v7.2, mcrypt not longer supported!
Permalink 1 user found helpfulOn the Concrete5 "System Requirements" page:
https://documentation.concrete5.org/developers/installation/system-r...
I do see that the php extension Mcrypt for concrete5 8.x.x is required.
Is this een BUG by design?
Mcrypt for Php v7.2 and higher is deprecated and not longer in the core:
http://php.net/manual/en/migration71.deprecated.php...
Will the mcrypt be removed/replaced in future Concrete5 versions?
.
If it is available, it is used to encrypt/decrypt a string. If it's not available it just returns the plain unencrypted string. This should never throw an error whether mcrypt is available or not.
https://www.litespeedtech.com/open-source/litespeed-sapi/php/...
This combination gives the Mcrypt is missing error and the Concrete5 openssl fallthrough does not detect the openssl. Burb: md5 as last resort :(
.
With C5 installation:
When Mcrypt and OpenSSL fails, the used installation password is encrypted using MD5?
Ifso, this is a security issue.
The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.
Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities as detailed in the security section below.
MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4.[3] The source code in RFC 1321 contains a "by attribution" RSA license. The abbreviation "MD" stands for "Message Digest."
More:
https://en.wikipedia.org/wiki/MD5...
If the C5 Team ignores this, than they missing potential new users/clients.
.
Cannot find this this issue on Github:
https://github.com/concrete5/concrete5/search?utf8=%E2%9C%93&q=i...
https://i.imgur.com/08R4UDQ.png...
I am happy it's on the radar. Pfhhhh...
?
https://documentation.concrete5.org/developers/background/version-hi...
My understanding is it will be addressed in version 9.
I do can(/will) not install Concrete5 8.4.1+ now, with this (security) issues still not *solved.
This is taken to long :-(
*https://www.concrete5.org/community/forums/installation/bugand128027-concrete5-php-v7.2-mcrypt-not-longer-supported/#926404
I've tried installing C5 8.4.4 manually, but it always ends up with no way to access the install or configuration screen once I'm done. I get a 505 error.
Is there a reliable guide for installing manually? The ones I've seen on Youtube all fail.
https://github.com/concrete5/concrete5/issues/6588...
https://installatron.com/concrete?s=7a1e93e3cd207d9e54bc705e84ba8681...
Softaculous supports up to the latest Concrete5 version v8.3.2, but fails installing when php 7.2.x is used with a missing Mcrypt error.
https://www.softaculous.com/softaculous/apps/cms/Concrete5...
Softaculous installation Mcrypt error:
https://i.imgur.com/IeUEqCs.png...
Installatron installation Mcrypt error:
https://i.imgur.com/3jfTeUi.png...
PHP Version 7.2.3: phpinfo()
https://i.imgur.com/LwSdiWt.png...
.