generate unpredictable unique session ids
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -129,7 +129,7 @@ if ($page == 'admins' && $userinfo['change_serversettings'] == '1') {
|
||||
'userid' => $userinfo['userid']
|
||||
));
|
||||
|
||||
$s = md5(uniqid(microtime(), 1));
|
||||
$s = \Froxlor\Froxlor::genSessionId();
|
||||
$ins_stmt = Database::prepare("
|
||||
INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET
|
||||
`hash` = :hash, `userid` = :userid, `ipaddress` = :ip,
|
||||
|
||||
@@ -178,7 +178,7 @@ if ($page == 'customers' && $userinfo['customers'] != '0') {
|
||||
'hash' => $s
|
||||
));
|
||||
|
||||
$s = md5(uniqid(microtime(), 1));
|
||||
$s = \Froxlor\Froxlor::genSessionId();
|
||||
$insert = Database::prepare("
|
||||
INSERT INTO `" . TABLE_PANEL_SESSIONS . "` SET
|
||||
`hash` = :hash,
|
||||
|
||||
@@ -675,7 +675,7 @@ function finishLogin($userinfo)
|
||||
global $version, $dbversion, $remote_addr, $http_user_agent, $languages;
|
||||
|
||||
if (isset($userinfo['userid']) && $userinfo['userid'] != '') {
|
||||
$s = md5(uniqid(microtime(), 1));
|
||||
$s = \Froxlor\Froxlor::genSessionId();
|
||||
|
||||
if (isset($_POST['language'])) {
|
||||
$language = \Froxlor\Validate\Validate::validate($_POST['language'], 'language');
|
||||
|
||||
@@ -363,6 +363,30 @@ class FroxlorInstall
|
||||
return $content;
|
||||
}
|
||||
|
||||
/**
|
||||
* generate safe unique token
|
||||
*
|
||||
* @param int $length
|
||||
* @return string
|
||||
*/
|
||||
private function genUniqueToken(int $length = 16)
|
||||
{
|
||||
if(!isset($length) || intval($length) <= 8 ){
|
||||
$length = 16;
|
||||
}
|
||||
if (function_exists('random_bytes')) {
|
||||
return bin2hex(random_bytes($length));
|
||||
}
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
|
||||
}
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
return bin2hex(openssl_random_pseudo_bytes($length));
|
||||
}
|
||||
// if everything else fails, use unsafe fallback
|
||||
return md5(uniqid(microtime(), 1));
|
||||
}
|
||||
|
||||
/**
|
||||
* create corresponding entries in froxlor database
|
||||
*
|
||||
@@ -407,7 +431,7 @@ class FroxlorInstall
|
||||
$ins_data = array(
|
||||
'loginname' => $this->_data['admin_user'],
|
||||
/* use SHA256 default crypt */
|
||||
'password' => crypt($this->_data['admin_pass1'], '$5$' . md5(uniqid(microtime(), 1)) . md5(uniqid(microtime(), 1))),
|
||||
'password' => crypt($this->_data['admin_pass1'], '$5$' . $this->genUniqueToken() . $this->genUniqueToken()),
|
||||
'email' => 'admin@' . $this->_data['servername'],
|
||||
'deflang' => $this->_languages[$this->_activelng]
|
||||
);
|
||||
|
||||
@@ -82,10 +82,10 @@ class DbManager
|
||||
// get all usernames from db-manager
|
||||
$allsqlusers = $this->getManager()->getAllSqlUsers();
|
||||
// generate random username
|
||||
$username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3);
|
||||
$username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3);
|
||||
// check whether it exists on the DBMS
|
||||
while (in_array($username, $allsqlusers)) {
|
||||
$username = $loginname . '-' . substr(md5(uniqid(microtime(), 1)), 20, 3);
|
||||
$username = $loginname . '-' . substr(\Froxlor\Froxlor::genSessionId(), 20, 3);
|
||||
}
|
||||
} elseif (strtoupper(Settings::Get('customer.mysqlprefix')) == 'DBNAME') {
|
||||
$username = $loginname;
|
||||
|
||||
@@ -340,7 +340,7 @@ class Domain
|
||||
// run remove command
|
||||
\Froxlor\FileDir::safe_exec($acmesh . $params);
|
||||
// remove certificates directory
|
||||
@unlink($certificate_folder);
|
||||
\Froxlor\FileDir::safe_exec('rm -rf ' . $certificate_folder);
|
||||
}
|
||||
}
|
||||
return true;
|
||||
|
||||
@@ -202,6 +202,30 @@ final class Froxlor
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* generate safe unique session id
|
||||
*
|
||||
* @param int $length
|
||||
* @return string
|
||||
*/
|
||||
public static function genSessionId(int $length = 16)
|
||||
{
|
||||
if(!isset($length) || intval($length) <= 8 ){
|
||||
$length = 16;
|
||||
}
|
||||
if (function_exists('random_bytes')) {
|
||||
return bin2hex(random_bytes($length));
|
||||
}
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
|
||||
}
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
return bin2hex(openssl_random_pseudo_bytes($length));
|
||||
}
|
||||
// if everything else fails, use unsafe fallback
|
||||
return md5(uniqid(microtime(), 1));
|
||||
}
|
||||
|
||||
/**
|
||||
* compare of froxlor versions
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user