TerraFrost

The phpseclib issues are not legit. phpseclib 2.0 works on PHP 5.3+. As your report says, mcrypt has been “deprecated since PHP 7.1 and removed since PHP 7.2”. So should phpseclib 2.0 screw over PHP 5.3-7.1 users just to check off a meaningless checkbox on a static analysis tool?

Even on PHP 5.3-7.1, mcrypt is only used if available and even then only if OpenSSL is not available. If you want to see the source code that facilities all this lmk and I’ll post it.

That said, the latest version of phpseclib (currently) is 3.0, which requires PHP 5.6+. mcrypt is still used on that as 5.6 is still less than 7.1, but 2.0 is none-the-less supported as well in an LTS capacity. And “Wp Social Login and Register Social Counter” is using phpseclib 2.0 (or 1.0) as evidenced by the fact by the fact that the filename is Crypt/Base.php vs Crypt/Common/SymmetricKey.php.

This is not an issue. It is one of multiple pseudo random string providers utilized by the Facebook SDK (a third party dependency of “Revive Old Posts – Auto Post to Social Media”):

https://github.com/facebook/php-graph-sdk/tree/5.x/src/Facebook/PseudoRandomString

See, also, https://www.ads-software.com/support/topic/php-7-3-11/

This is not an issue. It is one of multiple pseudo random string providers utilized by the Facebook SDK (a third party dependency of 10Web Social Post Feed):

https://github.com/facebook/php-graph-sdk/tree/5.x/src/Facebook/PseudoRandomString

• This reply was modified 5 years, 6 months ago by TerraFrost.

Works for me! My email address is [email protected]. I’ll try to take a look this evening and will provide you with status updates!

And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them.

Encryption isn’t an issue given that the keys start off with -----BEGIN RSA PRIVATE KEY-----. It’s only an issue for keys starting off with -----BEGIN OPENSSH PRIVATE KEY-----.

Anyway, I’d be willing to bet $10 that the underlying library is not due to the key being in an unsupported format. Maybe the issue is, as David Anderson hinted at, your permissions. You insist those are fine, but that would certainly explain what you’re seeing, none-the-less.

I would suggest you provide me with the key and I can verify that the key is able to be loaded but that’s also basically giving me the credentials to your server as well. Can you create a key that you believe reproduces the issue that you’d be willing to share?

If it is a legit issue with the underlying library I will pay you, via PayPal, $10 for finding that issue.

I mean, I suppose it’s possible that the key is malformed. You can’t just base64 encode a random string and expect it to be loaded as an RSA key. I would not pay $10.00 for this. But I can’t make that determination without seeing a key that reproduces the issue.

• This reply was modified 5 years, 7 months ago by TerraFrost.

Original author here. 4096-bit RSA keys aren’t an issue. If I had to guess I’d guess that the key you’re using starts off thusly:

-----BEGIN OPENSSH PRIVATE KEY-----

If so then keys of that format were not supported until v0.8.2 of this plugin (the most recent version). Are you using that version?

Also, encrypted keys in that format are not supported by the underlying library for technical reasons that https://github.com/phpseclib/phpseclib/blob/7012e724881ac479866d05e78dbe6fd25fe5a90b/phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php#L94 elaborates upon.

I can tell you that at least some of those are completely bogus. For example, the ones relating to phpseclib. This plugin is using a fairly new version of phpseclib it looks like:

https://plugins.trac.www.ads-software.com/browser/wp-mail-smtp/tags/1.2.5/vendor/phpseclib/phpseclib/phpseclib/Crypt/Random.php

https://github.com/phpseclib/phpseclib/issues/1229#issuecomment-351066079 explains why it’s not an issue.

Static code analyzers are not 100% accurate and you should take their findings with a grain of salt.

Not an issue. Automated scanners like the one you’re using are notorious for returning false positives and this one is no exception.

Check out the source code:

https://plugins.trac.www.ads-software.com/browser/wp-mail-smtp/tags/1.2.5/vendor/phpseclib/phpseclib/phpseclib/Crypt/Random.php#L103

It checks to see if the extension is loaded and suppresses any error message you might encounter.

Also, check this out:

https://github.com/phpseclib/phpseclib/issues/1028#issuecomment-242739527

A lot of those errors are bogus. Consider phpseclib. All those mcrypt errors are bogus. See https://github.com/phpseclib/phpseclib/issues/1229 for more info.

Static code analyzers are notorious for false positives so take what it says with a grain of salt.

• This reply was modified 7 years ago by TerraFrost.

FWIW simply updating the version of phpseclib that’s included in the lib directory to 1.0.9 is sufficient to fix the issue:

https://github.com/phpseclib/phpseclib/archive/1.0.9.zip

Mind you, some of these errors are bogus.

For example,

169 | ERROR | Global with variable variables is not allowed since PHP 7.0

See https://github.com/phpseclib/phpseclib/pull/1206

4150 | ERROR | Using a call-time pass-by-reference is deprecated since PHP 5.3 and prohibited since PHP 5.4

See https://github.com/phpseclib/phpseclib/issues/337

568 | WARNING | Use of deprecated PHP4 style class constructor is not supported since PHP 7.

That’s not really an issue if you also have PHP5 style class constructors. eg. https://3v4l.org/IB9uZ

Ah – I thought you were saying that phpseclib was used by this plugin and that because mcrypt could be used by phpseclib that that meant that this plugin didn’t work on 7.2.

Re-reading your post I guess I mistaken. I apologize!

You are incorrect. phpseclib uses mcrypt if it’s available. And even then only if OpenSSL isn’t. In PHP 7.2 mcrypt isn’t available so it doesn’t use mcrypt. And if OpenSSL isn’t available, either, phpseclib uses it’s own internal implementation.

Looking at the replies in the link you provided supports this.

Another possibility: maybe you enabled mbstring.func_overload on the server and do not consider that to be any more relevant a change than the server uptime changing (even tho it is).

@blueion – What browser are you using?

One thing I’m willing to do… we could make a little bet. I’ll bet you $50 USD that the issue is on your end (be it user error or a browser error or whatever). If I’m right you pay me $50 USD. If I’m wrong I’ll pay you $50 USD. To qualify you can either (1) email me auth info for a WordPress admin account on your site and SFTP credentials so that I may reproduce the issue or (2) you provide a patch that fixes this alleged issue. Note that a patch making this plugin work on, say, IE5 on Win98, although perhaps worthwhile, will not constitute a win for you.

Updated the plugin.

Thanks!