Fixed bug #15223: Password request hash in felogin is created with no…

…t enough randomness (thanks to Helmut Hummel) git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-4@8405 709f56b5-9817-0410-a4d7-c38de5d9e867
TYPO3 · Jul 28, 2010 · c03e944 · c03e944
1 parent 2baa7f8
commit c03e944
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -20,6 +20,7 @@
 	* Fixed bug #14389: phtml is also PHP extension and should be denied editing / uploading via fileadmin (thanks to Ernesto Baschny)
 	* Follow-up to bug #14389: Added unit test
 	* Fixed bug #1985: XSS vulnerability in wizard classes
+	* Fixed bug #15223: Password request hash in felogin is created with not enough randomness (thanks to Helmut Hummel)
 
 2010-07-27  Steffen Kamper  <steffen@typo3.org>
 

diff --git a/typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php b/typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php
@@ -335,7 +335,7 @@ protected function generateAndSendHash($user) {
 		$validEnd = time() + 3600 * $hours;
 		$validEndString = date($this->conf['dateFormat'], $validEnd);
 
-		$hash =  md5(rand());
+		$hash = md5(t3lib_div::generateRandomBytes(64));
 		$randHash = $validEnd . '|' . $hash;
 		$randHashDB = $validEnd . '|' . md5($hash);