Merge pull request #410 from HarryR/droppleganger

Protect against DroppleGanger Auth-Bypass exploit
johnroper100 · Nov 4, 2016 · adcb8af · adcb8af
2 parents 553d283 + a8e3a91
commit adcb8af
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 13 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+/config.php
diff --git a/cache/.gitignore b/cache/.gitignore
@@ -0,0 +1 @@
+*
diff --git a/dropplets/functions.php b/dropplets/functions.php
@@ -53,8 +53,19 @@
             $verification_file = "./verify.php";
 
             // If verified, allow a password reset.
-            if (!isset($_GET["verify"])) {
+            if (isset($_GET["verify"])) {
 
+                require($verification_file);
+
+                if ($_GET["verify"] === $verification_code) {
+                    $_SESSION["user"] = true;
+                    unlink($verification_file);
+                } else {
+                    $login_error = "That's not the correct recovery code!";
+                }
+            }
+            else {
+                // Generate verification token and send e-mail
                 $code = sha1(md5(rand()));
 
                 $verify_file_contents[] = "<?php";
@@ -70,18 +81,6 @@
 
                 mail($blog_email, $blog_title . " - Recover your Dropplets Password", $message, implode("\r\n", $headers));
                 $login_error = "Details on how to recover your password have been sent to your email.";
-
-            // If not verified, display a verification error.
-            } else {
-
-                include($verification_file);
-
-                if ($_GET["verify"] == $verification_code) {
-                    $_SESSION["user"] = true;
-                    unlink($verification_file);
-                } else {
-                    $login_error = "That's not the correct recovery code!";
-                }
             }
             break;