maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

generate unpredictable unique session ids

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2021-10-02 12:38:17 +02:00
parent e73523531a
commit 7feddf0aec
7 changed files with 56 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
admin_admins.php
View File

@@ -129,7 +129,7 @@ if ($page == 'admins' && $userinfo['change_serversettings'] == '1') {
'userid' => $userinfo['userid'] 'userid' => $userinfo['userid']
)); ));
$s = md5(uniqid(microtime(), 1)); $s = \Froxlor\Froxlor::genSessionId();
$ins_stmt = Database::prepare(" $ins_stmt = Database::prepare("
INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET
`hash` = :hash, `userid` = :userid, `ipaddress` = :ip, `hash` = :hash, `userid` = :userid, `ipaddress` = :ip,

2
admin_customers.php
View File

@@ -178,7 +178,7 @@ if ($page == 'customers' && $userinfo['customers'] != '0') {
'hash' => $s 'hash' => $s
)); ));
$s = md5(uniqid(microtime(), 1)); $s = \Froxlor\Froxlor::genSessionId();
$insert = Database::prepare(" $insert = Database::prepare("
INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET
`hash` = :hash, `hash` = :hash,

2
index.php
View File

@@ -675,7 +675,7 @@ function finishLogin($userinfo)
global $version, $dbversion, $remote_addr, $http_user_agent, $languages; global $version, $dbversion, $remote_addr, $http_user_agent, $languages;
if (isset($userinfo['userid']) && $userinfo['userid'] != '') { if (isset($userinfo['userid']) && $userinfo['userid'] != '') {
$s = md5(uniqid(microtime(), 1)); $s = \Froxlor\Froxlor::genSessionId();
if (isset($_POST['language'])) { if (isset($_POST['language'])) {
$language = \Froxlor\Validate\Validate::validate($_POST['language'], 'language'); $language = \Froxlor\Validate\Validate::validate($_POST['language'], 'language');

26
install/lib/class.FroxlorInstall.php
View File

@@ -363,6 +363,30 @@ class FroxlorInstall
return $content; return $content;
} }
/**
* generate safe unique token
*
* @param int $length
* @return string
*/
private function genUniqueToken(int $length = 16)
{
if(!isset($length) || intval($length) <= 8 ){
$length = 16;
}
if (function_exists('random_bytes')) {
return bin2hex(random_bytes($length));
}
if (function_exists('mcrypt_create_iv')) {
return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
}
if (function_exists('openssl_random_pseudo_bytes')) {
return bin2hex(openssl_random_pseudo_bytes($length));
}
// if everything else fails, use unsafe fallback
return md5(uniqid(microtime(), 1));
}
/** /**
* create corresponding entries in froxlor database * create corresponding entries in froxlor database
* *
@@ -407,7 +431,7 @@ class FroxlorInstall
$ins_data = array( $ins_data = array(
'loginname' => $this->_data['admin_user'], 'loginname' => $this->_data['admin_user'],
/* use SHA256 default crypt */ /* use SHA256 default crypt */
'password' => crypt($this->_data['admin_pass1'], '$5$' . md5(uniqid(microtime(), 1)) . md5(uniqid(microtime(), 1))), 'password' => crypt($this->_data['admin_pass1'], '$5$' . $this->genUniqueToken() . $this->genUniqueToken()),
'email' => 'admin@' . $this->_data['servername'], 'email' => 'admin@' . $this->_data['servername'],
'deflang' => $this->_languages[$this->_activelng] 'deflang' => $this->_languages[$this->_activelng]
); );

4
lib/Froxlor/Database/DbManager.php
View File

@@ -82,10 +82,10 @@ class DbManager
// get all usernames from db-manager // get all usernames from db-manager
$allsqlusers = $this->getManager()->getAllSqlUsers(); $allsqlusers = $this->getManager()->getAllSqlUsers();
// generate random username // generate random username
$username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3); $username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3);
// check whether it exists on the DBMS // check whether it exists on the DBMS
while (in_array($username, $allsqlusers)) { while (in_array($username, $allsqlusers)) {
$username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3); $username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3);
} }
} elseif (strtoupper(Settings::Get('customer.mysqlprefix')) == 'DBNAME') { } elseif (strtoupper(Settings::Get('customer.mysqlprefix')) == 'DBNAME') {
$username = $loginname; $username = $loginname;

2
lib/Froxlor/Domain/Domain.php
View File

@@ -340,7 +340,7 @@ class Domain
// run remove command // run remove command
\Froxlor\FileDir::safe_exec($acmesh . $params); \Froxlor\FileDir::safe_exec($acmesh . $params);
// remove certificates directory // remove certificates directory
@unlink($certificate_folder); \Froxlor\FileDir::safe_exec('rm -rf ' . $certificate_folder);
} }
} }
return true; return true;

24
lib/Froxlor/Froxlor.php
View File

@@ -202,6 +202,30 @@ final class Froxlor
return false; return false;
} }
/**
* generate safe unique session id
*
* @param int $length
* @return string
*/
public static function genSessionId(int $length = 16)
{
if(!isset($length) || intval($length) <= 8 ){
$length = 16;
}
if (function_exists('random_bytes')) {
return bin2hex(random_bytes($length));
}
if (function_exists('mcrypt_create_iv')) {
return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
}
if (function_exists('openssl_random_pseudo_bytes')) {
return bin2hex(openssl_random_pseudo_bytes($length));
}
// if everything else fails, use unsafe fallback
return md5(uniqid(microtime(), 1));
}
/** /**
* compare of froxlor versions * compare of froxlor versions
* *