PHP : Weak mode for encrypting algorithm

The insecure encryption mode is used. This may lead to a loss of confidentiality or integrity of the data due to the man in the middle attack.

The encryption algorithm defines how the block of ciphertext will be obtained from the block of data of fixed size. Encryption mode determines how the encryption algorithm will be applied to the data that is larger than the block size.

For example, the Electronic Codebook (ECB) mode is the simplest encryption mode, in which the original data blocks are encrypted independently. This allows parallel processing of blocks, which increases the speed of encryption and decryption. Nevertheless, the ECB mode is insecure, since the identical data blocks are encrypted into identical ciphertext blocks, which simplifies cryptanalysis. Moreover, the ciphertext blocks are independent from each other, so an attacker can replace some blocks of hijacked ciphertext, undetected by the receiver. Besides, the encryption in ECB mode keeps statistical features of the original data. An attacker who intercepts the ciphertext can draw some conclusions about the structure of the original data even without decrypting.

Moreover, CBC mode is vulnerable to The Padding Oracle Attack (also known as “Vaudenay attack”) because of the lack of authentication. This allows to make predictable, arbitrary changes to the plaintext of the last block by modifying the ciphertext (of the second to last block, or the IV) in order to draw information out of the originally unreadable ciphertext.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.