BUGFIX: fix password for password recovery (was not random enough)
authorArun Persaud <arun@nubati.net>
Sun, 10 Apr 2016 18:42:28 +0000 (11:42 -0700)
committerArun Persaud <arun@nubati.net>
Sun, 10 Apr 2016 18:42:28 +0000 (11:42 -0700)
The password was just a constant string, the email, and the current
time. Therefore, someone could just request a new password and even
without getting the email, just try out different time stamps around
the time the person requested the email and recover the temporary
password. Added a random string to generate the password, which should
fix this.

include/user.php

index 19b9544..f58293e 100644 (file)
@@ -67,7 +67,8 @@ if(myisset('forgot'))
 
            /* create temporary password, use the fist 8 letters of a md5 hash */
            $TIME  = (string) time(); /* to avoid collisions */
-           $hash  = md5('Anewpassword'.$email.$TIME);
+           $rndstring = sha1(rand()); /* add some randomness */
+           $hash  = md5('Anewpassword'.$email.$TIME.$rndstring);
            $newpw = substr($hash,1,8);
 
            $message = sprintf( _("Someone (hopefully you) requested a new password.\n".