github
/
phpservermon
mirror of https://github.com/phpservermon/phpservermon
1
0
Fork 0
Code Issues Releases Wiki Activity

SECURITY: Replaced mt_rand with random_bytes 

https://huntr.dev/bounties/1-phpservermon/phpservermon/
CWE-1241: Use of Predictable Algorithm in Random Number Generator
pull/1133/head
Tim Zandbergen 2021-06-23 22:05:58 +02:00
parent 32fcb8b0e8
commit bb10a5f3c6
No known key found for this signature in database
GPG Key ID: 4D8268DC68E8339D
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/psm/Service/User.php
View File

@ -198,9 +198,9 @@ class User
{ {
if (isset($_COOKIE['rememberme'])) { if (isset($_COOKIE['rememberme'])) {
// extract data from the cookie // extract data from the cookie
list ($user_id, $token, $hash) = explode(':', $_COOKIE['rememberme']); list($user_id, $token, $hash) = explode('_', $_COOKIE['rememberme']);
// check cookie hash validity // check cookie hash validity
if ($hash == hash('sha256', $user_id . ':' . $token . PSM_LOGIN_COOKIE_SECRET_KEY) && !empty($token)) { if ($hash == hash('sha256', $user_id . '_' . $token . PSM_LOGIN_COOKIE_SECRET_KEY) && !empty($token)) {
// cookie looks good, try to select corresponding user // cookie looks good, try to select corresponding user
// get real token from database (and all other data) // get real token from database (and all other data)
$user = $this->getUser($user_id); $user = $this->getUser($user_id);
@ -321,15 +321,15 @@ class User
protected function newRememberMeCookie() protected function newRememberMeCookie()
{ {
// generate 64 char random string and store it in current user data // generate 64 char random string and store it in current user data
$random_token_string = hash('sha256', mt_rand()); $random_token_string = hash('sha256', random_bytes(64));
$sth = $this->db_connection->prepare('UPDATE ' . $sth = $this->db_connection->prepare('UPDATE ' .
PSM_DB_PREFIX . 'users SET rememberme_token = :user_rememberme_token WHERE user_id = :user_id'); PSM_DB_PREFIX . 'users SET rememberme_token = :user_rememberme_token WHERE user_id = :user_id');
$sth->execute(array(':user_rememberme_token' => $random_token_string, ':user_id' => $this->getUserId())); $sth->execute(array(':user_rememberme_token' => $random_token_string, ':user_id' => $this->getUserId()));
// generate cookie string that consists of userid, randomstring and combined hash of both // generate cookie string that consists of userid, randomstring and combined hash of both
$cookie_string_first_part = $this->getUserId() . ':' . $random_token_string; $cookie_string_first_part = $this->getUserId() . '_' . $random_token_string;
$cookie_string_hash = hash('sha256', $cookie_string_first_part . PSM_LOGIN_COOKIE_SECRET_KEY); $cookie_string_hash = hash('sha256', $cookie_string_first_part . PSM_LOGIN_COOKIE_SECRET_KEY);
$cookie_string = $cookie_string_first_part . ':' . $cookie_string_hash; $cookie_string = $cookie_string_first_part . '_' . $cookie_string_hash;
// set cookie // set cookie
setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN); setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN);
@ -526,10 +526,8 @@ class User
} }
$this->user_preferences = array(); $this->user_preferences = array();
foreach ( foreach ($this->db_connection->query('SELECT `key`,`value` FROM `' .
$this->db_connection->query('SELECT `key`,`value` FROM `' . PSM_DB_PREFIX . 'users_preferences` WHERE `user_id` = ' . $this->user_id) as $row) {
PSM_DB_PREFIX . 'users_preferences` WHERE `user_id` = ' . $this->user_id) as $row
) {
$this->user_preferences[$row['key']] = $row['value']; $this->user_preferences[$row['key']] = $row['value'];
} }
} }