Use of deprecated Mcrypt functionality
Description
The Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Using it may introduce security vulnerabilities. Consider using Sodium or OpenSSL instead.
Examples
Insecure Code
php
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, 'key', 'data', MCRYPT_MODE_ECB);Secure Code
php
$encrypted = openssl_encrypt('data', 'AES-256-ECB', 'key', OPENSSL_RAW_DATA);Remediation
Replace Mcrypt functions with Sodium or OpenSSL equivalents.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0752 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-676 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | deprecation, crypto |
| OWASP | A9:2017-Using Components with Known Vulnerabilities, A06:2021-Vulnerable and Outdated Components |
References
- https://www.php.net/manual/en/intro.mcrypt.php
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php