Keys containing double quotes break vmcrypt

ssc3 · May 27, 2016, 10:13:48 AM

Joomla 3.51 and Virtuemart 3.0.16

php 5.6 and php 7

The following key file breaks vmcrypt

///////////////////////////////////////////////////////////

;<?php die(); */
[keys]
key = "aÊ¨ÖÁÏ×ª FZäÄ""
unixtime = "1464293091"
date = "2016-05-26 20:04:51"
b64 = "0"
size = "24"
; */ ?>

///////////////////////////////////////////////////////////////

The key contains an extra double quote "

key = "aÊ¨ÖÁÏ×ª FZäÄ""

If you have a Windows server, keys with carriage returns also have the same effect

key = "Wi×hs=
È®Úüwò"R«ë"

The key file itself is using line feeds as end of line markers

A temporary solution is to delete the key file and force a new key file to be generated.

Keep on doing this until a key without character returns or double quotes is created.

A more permanent solution would be to save the key with base64 encoding.

Milbo · May 27, 2016, 11:08:03 AM

Thank you for report, explanation and idea how to fix it. My problem is now, how to update? We could force the system to generate a new key, when updating.

Or I remove in the keygenerator the " and any controll sign, easier for BC.

Or a check for the length and when it has doubled size => base64_decode. Hmmmm

ssc3 · May 30, 2016, 17:40:04 PM

vmcrypt reads the key file using parse_ini_file which gives an error,

but since the key file is always saved in the following order

key
unixtime
date
b64
size

You might be able to use regex to extract the key. It should work with keys containing double quotes,
so they would be need to generate new keys.

Milbo · May 30, 2016, 18:34:08 PM

actually we can also just generate a new key, the system works automatically with multikeys

ssc3 · May 30, 2016, 19:07:02 PM

As long as you do not have to retrieve data saved with the old key, then that would work.

Milbo · May 30, 2016, 19:32:22 PM

Quote from: Milbo on May 27, 2016, 11:08:03 AM
Thank you for report, explanation and idea how to fix it. My problem is now, how to update? We could force the system to generate a new key, when updating.

Or I remove in the keygenerator the " and any controll sign, easier for BC.

Or a check for the length and when it has doubled size => base64_decode. Hmmmm

Quote from: Milbo on May 30, 2016, 18:34:08 PM
actually we can also just generate a new key, the system works automatically with multikeys

So we could just add the base64_decode, when the length fits. I think that is the most simple solution

Milbo · May 30, 2016, 19:33:30 PM

Even better, I just notice we note as value if it is an encoded key.

News:

Keys containing double quotes break vmcrypt

ssc3

Milbo

ssc3

Milbo

ssc3

Milbo

Milbo