[SECURITY] phpsec/user.php - Passwords converted to lower case before hashing

Note: I have been asked to log all the security issues that I have found by an OWASP contributor to support the decision to abandon this project. My personal opinion is that all of the code in this repository is beyond repair and that it is not wise to attempt to fix it.

This line of code gives a huge number of equivalent passwords by converting the password before hashing it. This means that in the eyes of the auth library 'paSsWord' is equal to 'password'.

phpsec/libs/auth/user.php

Line 71 in 1999edc

    
           return hash($algo, strtolower($dynamicSalt . $pass . BasicPasswordManagement::getStaticSalt()));