Merge pull request hestiacp#1164 from Arinerron: Patch insecure CSRF token

myvesta · web-flow · commit 0cbb3613dfc2 · 2017-04-18T10:47:42.000+02:00
Patch insecure CSRF token crypto vulnerability
diff --git a/web/inc/main.php b/web/inc/main.php
@@ -59,10 +59,10 @@
     exit;
 }
 
+// Generate CSRF token
 if (isset($_SESSION['user'])) {
     if(!isset($_SESSION['token'])){
-        $token = uniqid(mt_rand(), true);
-        $_SESSION['token'] = $token;
+        $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(16));
     }
 }
 
diff --git a/web/login/index.php b/web/login/index.php
@@ -126,7 +126,7 @@
 }
 
 // Generate CSRF token
-$_SESSION['token'] = md5(uniqid(mt_rand(), true));
+$_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(16)); // generate 32-character cryptographically secure token
 
 require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
 require_once('../templates/header.html');

Original file line number	Diff line number	Diff line change
`@@ -59,10 +59,10 @@`
`59`	`59`	`exit;`
`60`	`60`	`}`
`61`	`61`
	`62`	`+// Generate CSRF token`
`62`	`63`	`if (isset($_SESSION['user'])) {`
`63`	`64`	`if(!isset($_SESSION['token'])){`
`64`		`- $token = uniqid(mt_rand(), true);`
`65`		`- $_SESSION['token'] = $token;`
	`65`	`+ $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(16));`
`66`	`66`	`}`
`67`	`67`	`}`
`68`	`68`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`// Generate CSRF token`
`129`		`-$_SESSION['token'] = md5(uniqid(mt_rand(), true));`
	`129`	`+$_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(16)); // generate 32-character cryptographically secure token`
`130`	`130`
`131`	`131`	`require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');`
`132`	`132`	`require_once('../templates/header.html');`