Navigation

← Previous Changeset
Next Changeset →

Changeset 1497

Timestamp:

02/19/08 23:09:45 (6 months ago)

Author:

Rickard

Message:

Fixed a password recovery vulnerability. Reported by Stefan Esser.

Files:

trunk/upload/include/common.php (modified) (1 diff)
trunk/upload/include/functions.php (modified) (1 diff)
trunk/upload/login.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/upload/include/common.php

r933	r1497
71	71	}
72	72
73		// Seed the random number generator
74		mt_srand((double)microtime()*1000000);
	73	// Seed the random number generator (PHP <4.2.0 only)
	74	if (version_compare(PHP_VERSION, '4.2.0', '<'))
	75	mt_srand((double)microtime()*1000000);
75	76
76	77	// If a cookie name is not specified in config.php, we use the default (punbb_cookie)

trunk/upload/include/functions.php

r1494	r1497
49	49	if (!isset($pun_user['id']) \|\| md5($cookie_seed.$pun_user['password']) !== $cookie['password_hash'])
50	50	{
51		pun_setcookie(~~0, random_pass(8~~), $expire);
	51	pun_setcookie(1, md5(uniqid(rand(), true)), $expire);
52	52	set_default_user();
53	53

trunk/upload/login.php

r1356	r1497
98	98	$db->query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error());
99	99
100		pun_setcookie(1, ~~random_pass(8~~), time() + 31536000);
	100	pun_setcookie(1, md5(uniqid(rand(), true)), time() + 31536000);
101	101
102	102	redirect('index.php', $lang_login['Logout redirect']);

Download in other formats: