From 7feddf0aecd660ffe3802c303d83fdd9fc0247bb Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Sat, 2 Oct 2021 12:38:17 +0200 Subject: [PATCH] generate unpredictable unique session ids Signed-off-by: Michael Kaufmann --- admin_admins.php | 2 +- admin_customers.php | 2 +- index.php | 2 +- install/lib/class.FroxlorInstall.php | 28 ++++++++++++++++++++++++++-- lib/Froxlor/Database/DbManager.php | 4 ++-- lib/Froxlor/Domain/Domain.php | 2 +- lib/Froxlor/Froxlor.php | 24 ++++++++++++++++++++++++ 7 files changed, 56 insertions(+), 8 deletions(-) diff --git a/admin_admins.php b/admin_admins.php index b404cf8cc..3c8031d88 100644 --- a/admin_admins.php +++ b/admin_admins.php @@ -129,7 +129,7 @@ 'userid' => $userinfo['userid'] )); - $s = md5(uniqid(microtime(), 1)); + $s = \Froxlor\Froxlor::genSessionId(); $ins_stmt = Database::prepare(" INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET `hash` = :hash, `userid` = :userid, `ipaddress` = :ip, diff --git a/admin_customers.php b/admin_customers.php index af08c8d1f..ac393f73e 100644 --- a/admin_customers.php +++ b/admin_customers.php @@ -178,7 +178,7 @@ 'hash' => $s )); - $s = md5(uniqid(microtime(), 1)); + $s = \Froxlor\Froxlor::genSessionId(); $insert = Database::prepare(" INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET `hash` = :hash, diff --git a/index.php b/index.php index e59c1f5f5..83ab7a4b1 100644 --- a/index.php +++ b/index.php @@ -675,7 +675,7 @@ function finishLogin($userinfo) global $version, $dbversion, $remote_addr, $http_user_agent, $languages; if (isset($userinfo['userid']) && $userinfo['userid'] != '') { - $s = md5(uniqid(microtime(), 1)); + $s = \Froxlor\Froxlor::genSessionId(); if (isset($_POST['language'])) { $language = \Froxlor\Validate\Validate::validate($_POST['language'], 'language'); diff --git a/install/lib/class.FroxlorInstall.php b/install/lib/class.FroxlorInstall.php index 4bb2d7ca2..62c6a66a1 100644 --- a/install/lib/class.FroxlorInstall.php +++ b/install/lib/class.FroxlorInstall.php @@ -363,6 +363,30 @@ private function _createUserdataConf() return $content; } + /** + * generate safe unique token + * + * @param int $length + * @return string + */ + private function genUniqueToken(int $length = 16) + { + if(!isset($length) || intval($length) <= 8 ){ + $length = 16; + } + if (function_exists('random_bytes')) { + return bin2hex(random_bytes($length)); + } + if (function_exists('mcrypt_create_iv')) { + return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)); + } + if (function_exists('openssl_random_pseudo_bytes')) { + return bin2hex(openssl_random_pseudo_bytes($length)); + } + // if everything else fails, use unsafe fallback + return md5(uniqid(microtime(), 1)); + } + /** * create corresponding entries in froxlor database * @@ -406,8 +430,8 @@ private function _doDataEntries(&$db) $content .= $this->_status_message('begin', $this->_lng['install']['adding_admin_user']); $ins_data = array( 'loginname' => $this->_data['admin_user'], - /* use SHA256 default crypt */ - 'password' => crypt($this->_data['admin_pass1'], '$5$' . md5(uniqid(microtime(), 1)) . md5(uniqid(microtime(), 1))), + /* use SHA256 default crypt */ + 'password' => crypt($this->_data['admin_pass1'], '$5$' . $this->genUniqueToken() . $this->genUniqueToken()), 'email' => 'admin@' . $this->_data['servername'], 'deflang' => $this->_languages[$this->_activelng] ); diff --git a/lib/Froxlor/Database/DbManager.php b/lib/Froxlor/Database/DbManager.php index d3b9296df..dc0f3d1b9 100644 --- a/lib/Froxlor/Database/DbManager.php +++ b/lib/Froxlor/Database/DbManager.php @@ -82,10 +82,10 @@ public function createDatabase($loginname = null, $password = null, $last_accnum // get all usernames from db-manager $allsqlusers = $this->getManager()->getAllSqlUsers(); // generate random username - $username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3); + $username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3); // check whether it exists on the DBMS while (in_array($username, $allsqlusers)) { - $username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3); + $username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3); } } elseif (strtoupper(Settings::Get('customer.mysqlprefix')) == 'DBNAME') { $username = $loginname; diff --git a/lib/Froxlor/Domain/Domain.php b/lib/Froxlor/Domain/Domain.php index c70c6cac7..a63a5ba55 100644 --- a/lib/Froxlor/Domain/Domain.php +++ b/lib/Froxlor/Domain/Domain.php @@ -340,7 +340,7 @@ public static function doLetsEncryptCleanUp($domainname = null) // run remove command \Froxlor\FileDir::safe_exec($acmesh . $params); // remove certificates directory - @unlink($certificate_folder); + \Froxlor\FileDir::safe_exec('rm -rf ' . $certificate_folder); } } return true; diff --git a/lib/Froxlor/Froxlor.php b/lib/Froxlor/Froxlor.php index 3f19e3856..58e735091 100644 --- a/lib/Froxlor/Froxlor.php +++ b/lib/Froxlor/Froxlor.php @@ -202,6 +202,30 @@ public static function isFroxlorVersion($to_check = null) return false; } + /** + * generate safe unique session id + * + * @param int $length + * @return string + */ + public static function genSessionId(int $length = 16) + { + if(!isset($length) || intval($length) <= 8 ){ + $length = 16; + } + if (function_exists('random_bytes')) { + return bin2hex(random_bytes($length)); + } + if (function_exists('mcrypt_create_iv')) { + return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)); + } + if (function_exists('openssl_random_pseudo_bytes')) { + return bin2hex(openssl_random_pseudo_bytes($length)); + } + // if everything else fails, use unsafe fallback + return md5(uniqid(microtime(), 1)); + } + /** * compare of froxlor versions *