0009190: Improve robustness of auth_generate_confirm_hash() - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0009190	mantisbt	security	public	2008-05-21 18:44	2011-08-05 02:25

Reporter	giallu	Assigned To	dhx
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	duplicate
Product Version	1.1.1

Summary	0009190: Improve robustness of auth_generate_confirm_hash()
Description	The function auth_generate_confirm_hash() is used in verify.php to allow a passwordless login during signup, lost password or reset password procedures. the hash is produced by: <code> function auth_generate_confirm_hash( $p_user_id ) { $t_confirm_hash_generator = config_get( 'password_confirm_hash_magic_string' ); $t_password = user_get_field( $p_user_id, 'password' ); $t_last_visit = user_get_field( $p_user_id, 'last_visit' ); `$t_confirm_hash = md5( $t_confirm_hash_generator . $t_password . $t_last_visit ); return $t_confirm_hash; }` </code> If the admin did not set password_confirm_hash_magic_string and the LDAP login is used (so no passwords are set) the hash is somewhat more predictable. I propose to replace $t_confirm_hash_generator with something less predictable; the user's cookie string looks like a very good candidate
Tags	No tags attached.

duplicate of	0010730	closed	dhx	Improve random number generation with openssl_random_pseudo_bytes
related to	0009191	closed	dhx	obsolete and remove $g_password_confirm_hash_magic_string

dhx 2010-09-18 01:29 reporter ~0026768	Fixed/replaced in 0010730 with a MUCH more secure method (random nonce generation from /dev/urandom or openssl_pseudo_random_bytes()).