From 2e1df2de5a47c1e7275840ee3713b968571eef5a Mon Sep 17 00:00:00 2001
From: Benjamin Aerni <daprogramerforbatch@gmail.com>
Date: Mon, 9 Aug 2021 19:00:14 -0700
Subject: [PATCH] =?UTF-8?q?Use=20random=5Fbytes=20instead=20of=20uniqid=20?=
 =?UTF-8?q?since=20it=20actually=20generates=20crypto=E2=80=A6=20(#944)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Use random_bytes instead of uniqid since it actually generates cryptographically secure pseudo-random bytes

* Update SECURITY.md
---
 SECURITY.md                        | 10 ++++++++--
 src/bb-modules/Support/Service.php |  4 ++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index d836d2f62..012cd0c2f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -7,10 +7,16 @@ currently being supported with security updates.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 4.20.x   | :white_check_mark: |
+| 4.22.x   | :white_check_mark: |
 
-## Reporting Bugs
+## Reporting Vulnerabilities 
+To report a vulnerability, it's please make a submission on [huntr.dev](https://huntr.dev/bounties/disclose). Enter https://github.com/boxbilling/boxbilling as the repository and then go from there. Their website should provide you a good idea for the requirements of a good vulnerability report.
+It's important to make the submission there as it keeps the vulnerability private which helps ensure it can't be exploited while a patch is in the works. If you have a suggestion that is related to security, then [creating an issue](https://github.com/boxbilling/boxbilling/issues/new/choose) on github is a suitable place.
 
+Usually a good report should include where the file is, how the vulnerability could be explointed, the potential ramifications of the vulnerability, a proof of concept exploit, and if possible insight into a solution. A proper vulnerability report is awarded with a cash reward, if you provide a patch there is usually a reward with that as well.  
+
+## Not a Vulnerability?
+**Reporting bugs**
 This section guides you through submitting a bug report for BoxBilling. Following these guidelines helps maintainers and the community understand your report 📝, reproduce the behavior 💻 💻, and find related reports 🔎.
 
 Before creating bug reports, please check this list as you might find out that you don't need to create one. When you are creating a bug report, please include as many details as possible.
diff --git a/src/bb-modules/Support/Service.php b/src/bb-modules/Support/Service.php
index aca780d72..af8025462 100644
--- a/src/bb-modules/Support/Service.php
+++ b/src/bb-modules/Support/Service.php
@@ -816,7 +816,7 @@ public function ticketCreateForGuest($data)
         }
 
         $ticket               = $this->di['db']->dispense('SupportPTicket');
-        $ticket->hash         = sha1(uniqid());
+        $ticket->hash         = sha1(random_bytes(13));
         $ticket->author_name  = $data['name'];
         $ticket->author_email = $data['email'];
         $ticket->subject      = $subject;
@@ -1206,7 +1206,7 @@ public function publicTicketCreate($data, \Model_Admin $identity)
         $this->di['events_manager']->fire(array('event' => 'onBeforeAdminPublicTicketOpen', 'params' => $data));
 
         $ticket               = $this->di['db']->dispense('SupportPTicket');
-        $ticket->hash         = sha1(uniqid());
+        $ticket->hash         = sha1(random_bytes(13));
         $ticket->author_name  = $data['name'];
         $ticket->author_email = $data['email'];
         $ticket->subject      = $data['subject'];