Browse Source

see https://github.com/postfixadmin/postfixadmin/issues/523 - improve randomness when creating the PFA_token field; reported by @michaellrowley via huntr.dev.

issue-916
David Goodwin 5 years ago
parent
commit
feb5cbc7f3
  1. 3
      functions.inc.php
  2. 3
      public/users/login.php

3
functions.inc.php

@ -103,7 +103,8 @@ function init_session($username, $is_admin = false) {
$_SESSION['sessid']['roles'] = array();
$_SESSION['sessid']['roles'][] = $is_admin ? 'admin' : 'user';
$_SESSION['sessid']['username'] = $username;
$_SESSION['PFA_token'] = md5(uniqid("", true));
$_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
return $status;
}

3
public/users/login.php

@ -70,8 +70,7 @@ session_start();
if ($error) {
flash_error($error);
}
$_SESSION['PFA_token'] = md5(uniqid('pfa' . rand(), true));
$_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
$smarty->assign('language_selector', language_selector(), false);
$smarty->assign('smarty_template', 'login');

Loading…
Cancel
Save