Skip to content

Commit

Permalink
SECURITY: Replaced mt_rand with random_bytes
Browse files Browse the repository at this point in the history
https://huntr.dev/bounties/2-phpservermon/phpservermon/
CWE-1241: Use of Predictable Algorithm in Random Number Generator
  • Loading branch information
TimZ99 committed Jun 23, 2021
1 parent bb10a5f commit 3daa804
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 23 deletions.
2 changes: 1 addition & 1 deletion src/includes/psmconfig.inc.php
Expand Up @@ -30,7 +30,7 @@
/**
* Current PSM version
*/
define('PSM_VERSION', '3.6.0.beta2');
define('PSM_VERSION', '3.6.0');

/**
* URL to check for updates. Will not be checked if turned off on config page.
Expand Down
40 changes: 20 additions & 20 deletions src/psm/Service/User.php
Expand Up @@ -72,7 +72,7 @@ class User
protected $user_id;

/**
*Current user preferences
* Current user preferences
* @var array $user_preferences
*/
protected $user_preferences;
Expand Down Expand Up @@ -237,15 +237,15 @@ public function loginWithPostData($user_name, $user_password, $user_rememberme =
}

$dirauthconfig = psm_get_conf('dirauth_status');

// LDAP auth enabled
if ($dirauthconfig === '1') {
$ldaplibpath = realpath(
PSM_PATH_SRC . '..' . DIRECTORY_SEPARATOR .
'vendor' . DIRECTORY_SEPARATOR .
'viharm' . DIRECTORY_SEPARATOR .
'psm-ldap-auth' . DIRECTORY_SEPARATOR .
'psmldapauth.php'
'vendor' . DIRECTORY_SEPARATOR .
'viharm' . DIRECTORY_SEPARATOR .
'psm-ldap-auth' . DIRECTORY_SEPARATOR .
'psmldapauth.php'
);
// If the library is found
if ($ldaplibpath) {
Expand All @@ -260,20 +260,20 @@ public function loginWithPostData($user_name, $user_password, $user_rememberme =

// Authenticated
if ($ldapauthstatus === true) {
// Remove password to prevent it from being saved in the DB.
// Otherwise, user may still be authenticated if LDAP is disabled later.
$user_password = null;
@fn_Debug('Authenticated', $user);
// Remove password to prevent it from being saved in the DB.
// Otherwise, user may still be authenticated if LDAP is disabled later.
$user_password = null;
@fn_Debug('Authenticated', $user);
} else {

// using PHP 5.5's password_verify() function to check if the provided passwords
// fits to the hash of that user's password
if (!isset($user->user_id)) {
password_verify($user_password, 'dummy_call_against_timing');
return false;
} elseif (!password_verify($user_password, $user->password)) {
return false;
}
// using PHP 5.5's password_verify() function to check if the provided passwords
// fits to the hash of that user's password
if (!isset($user->user_id)) {
password_verify($user_password, 'dummy_call_against_timing');
return false;
} elseif (!password_verify($user_password, $user->password)) {
return false;
}
} // not authenticated

$this->setUserLoggedIn($user->user_id, true);
Expand Down Expand Up @@ -390,8 +390,8 @@ public function generatePasswordResetToken($user_id)
}
// generate timestamp (to see when exactly the user (or an attacker) requested the password reset mail)
$temporary_timestamp = time();
// generate random hash for email password reset verification (40 char string)
$user_password_reset_hash = sha1(uniqid(mt_rand(), true));
// generate random hash for email password reset verification (64 char string)
$user_password_reset_hash = hash('sha256', uniqid(random_bytes(64), true));

$query_update = $this->db_connection->prepare('UPDATE ' .
PSM_DB_PREFIX . 'users SET password_reset_hash = :user_password_reset_hash,
Expand Down
7 changes: 5 additions & 2 deletions src/psm/Util/Install/Installer.php
Expand Up @@ -212,7 +212,7 @@ protected function installTables()
`user_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`user_name` varchar(64) NOT NULL COMMENT 'user''s name, unique',
`password` varchar(255) NOT NULL COMMENT 'user''s password in salted and hashed format',
`password_reset_hash` char(40) DEFAULT NULL COMMENT 'user''s password reset code',
`password_reset_hash` varchar(64) DEFAULT NULL COMMENT 'user''s password reset code',
`password_reset_timestamp` bigint(20) DEFAULT NULL COMMENT 'timestamp of the password reset request',
`rememberme_token` varchar(64) DEFAULT NULL COMMENT 'user''s remember-me cookie token',
`level` tinyint(2) unsigned NOT NULL DEFAULT '20',
Expand All @@ -230,7 +230,7 @@ protected function installTables()
UNIQUE KEY `unique_username` (`user_name`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;",
PSM_DB_PREFIX .
'users_preferences' => "CREATE TABLE IF NOT EXISTS `" . PSM_DB_PREFIX . "users_preferences` (
'users_preferences' => "CREATE TABLE IF NOT EXISTS `" . PSM_DB_PREFIX . "users_preferences` (
`user_id` int(11) unsigned NOT NULL,
`key` varchar(255) NOT NULL,
`value` varchar(255) NOT NULL,
Expand Down Expand Up @@ -732,6 +732,7 @@ protected function upgrade350()
/**
* Patch for v3.6.0 release
* Added support for Discord and webhooks
* Password_reset_hash varchar 40 -> 64 to allow for SHA256 hash
*/
protected function upgrade360()
{
Expand All @@ -758,6 +759,8 @@ protected function upgrade360()
$queries[] = "INSERT INTO `" . PSM_DB_PREFIX . "users` (
`user_name`, `level`, `name`, `email`)
VALUES ('__PUBLIC__', 30, 'Public page', 'publicpage@psm.psm')";
$queries[] = "ALTER TABLE `" . PSM_DB_PREFIX . "users`
CHANGE `password_reset_hash` `password_reset_hash` VARCHAR( 64 ) DEFAULT NULL COMMENT 'user''s password reset code';";
$this->execSQL($queries);

$this->log('Public page is now available. Added user \'__PUBLIC__\'. See documentation for more info.');
Expand Down

0 comments on commit 3daa804

Please sign in to comment.