View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009190 | mantisbt | security | public | 2008-05-21 18:44 | 2011-08-05 02:25 |
Reporter | giallu | Assigned To | dhx | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | duplicate | ||
Product Version | 1.1.1 | ||||
Summary | 0009190: Improve robustness of auth_generate_confirm_hash() | ||||
Description | The function auth_generate_confirm_hash() is used in verify.php to allow a passwordless login during signup, lost password or reset password procedures. the hash is produced by:
</code> If the admin did not set password_confirm_hash_magic_string and the LDAP login is used (so no passwords are set) the hash is somewhat more predictable. I propose to replace $t_confirm_hash_generator with something less predictable; the user's cookie string looks like a very good candidate | ||||
Tags | No tags attached. | ||||