0

This question is for the developers of phpexcel/phpspreadsheet.

We are currently using the library on our website to generate excel files (obviously) and are currently in the process of getting SOC2 certified; which requires us to run all our code and third party code into a security scanner.

The scanner returns 36 vulnerabilities all of which are "Use of a Broken or Risky Cryptographic Algorithm"; as a result of simply using the MD5 function call.

So my question is why are the hashing using MD5 and why are we hashing it? If I can better understand what's going on I can try changing the hashing mechanism or at least explain why it really isn't a security risk.

Panda
  • 6,955
  • 6
  • 40
  • 55
iGuy
  • 42
  • 3

2 Answers2

2

I am not one of the developers of phpspreadsheet but I have some observations on how it is using the md5 function.

IMO, the reported vulnerabilities are false positives. It is true that using md5() for securing data (particularly passwords) is not appropriate. But there are other uses for a hash value besides security It seems the code scan assumes md5 is being used for cryptographic purposes. It is not.

Just take a look at the source code to see where md5() is used. Primarily, it's used to create a hash of objects with multiple property values so that it's easy to compare objects and all their property values. I did not find any use of it that involved a password or other security-related task.

Style objects (i.e. borders, colors, alignment, etc) are a common target for md5 hashing. Consider a "border" object. It's a lot easier to compare the hash of combined top, right, bottom, left, and diagonal values than to walk through properties one at a time to compare values with the same property in another object.

All that said, I do not claim that phpspreadsheet is cryptographic secure or that every use of md5 is appropriate. I did not examine each and every use of md5. But I think there is a case to be made that the report is not entirely accurate.

DFriend
  • 8,869
  • 1
  • 13
  • 26
1

As DFriend has already noted, the use of md5() within PHPExcel/PHPSpreadsheet is not (with one exception) being used for cryptographic purposes. It is used to generate quasi-unique hashes/checksums for quick comparison of object values.

The one exception to that is for verification of any Xls password, because MS Excel itself uses md5 hashing as part of its password verification. For your SOC2 certification, you'd have to take that one up with Microsoft.

Mark Baker
  • 209,507
  • 32
  • 346
  • 385
  • DFriend and Mark Baker thank you for clarifying everything. Since this info came directly from the developer I can submit this as a false positive with detailed reasons why. – iGuy Dec 10 '18 at 06:24