Hello,

I currently running a Moodle 2.6 on a PHP 5.3.3 server. (Which is the minimum version required by this version of Moodle)

I tried to upgrade PHP from 5.3.3 to 5.3.7 but now i was not able to login into Moodle after this upgrade...

After investigations i discovered this line in "lib/password_compat/readme_moodle.txt" :
"This library requires PHP >= 5.3.7 due to a PHP security issue prior to that version."

Indeed in the library code we can read :

$hash_format = sprintf("$2y$%02d$", $cost);

But "$2y$" method is only implemented in PHP >= 5.3.7 (cf : http://php.net/manual/en/function.crypt.php)

So all password generated by password_hash() using PHP 5.3.3 are wrong...

<?php

echo crypt('toto', '$2y$10$N.mkqwOzqbYKtFxQYXE77ufK.5Bz/4QQO4NaxB46CtE4c5wZAx4Iq');

?>

PHP 5.3.3 => $2j63q.Y8SuOw

PHP 5.4.2 => $2y$10$N.mkqwOzqbYKtFxQYXE77u9axfzZmSGwGnqWFhK28KfAiiDKNA9Zm

As you can see PHP 5.3.3 produce an invalid hash with a really really short length...i'm not sure if this could lead to a security issue that's why i tag this issue as "Could be a security issue".

In any case this is really annoying because we cannot upgrade PHP or migrate Moodle 2.6 to a server with a newer PHP 's version without resetting all users' passwords !!!

Solution : upgrade Moodle 2.6 requirements from PHP 5.3.3 to PHP 5.3.7 to prevent sysadmin to deploy Moodle 2.6 on PHP < 5.3.7 server. (That's why i tagged this issue as Major)

Note : Moodle 2.5 is also affected by this bug