Skip to content

Commit

Permalink
fixed security vulnerability allowing an attacker that knows the user…
Browse files Browse the repository at this point in the history 
…name to change the password without an activation key
  • Loading branch information
@little-apps
little-apps committed Sep 26, 2015
1 parent 616d89c commit 07ba827
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 2 deletions.
3 changes: 3 additions & 0 deletions inc/class.securelogin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,9 @@ public function change_password( $user, $pass, $pass2, $key ) {
$pass = trim( $pass );
$pass2 = trim( $pass2 );
$key = strtolower( trim( $key ) );

if ( empty( $key ) )
return __( "Activation key cannot be empty" );

if ( !MySQL::getInstance()->select( "users", array( "UserName" => $user ), "", "0,1" ) )
return __( "Username does not exist" );
Expand Down
4 changes: 2 additions & 2 deletions login.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,10 +142,10 @@
<!-- end message -->

<!-- start login-inner -->
<?php if ( ( isset( $_GET['action'] ) ) && $_GET['action'] == "resetPwd") : ?>
<?php if ( ( isset( $_GET['action'] ) ) && $_GET['action'] == "resetPwd" && !empty( $_GET['key'] ) ) : ?>
<div id="login-inner">
<form action="#" method="post">
<input name="key" type="hidden" value="<?php echo ( ( isset( $_GET['key'] ) ) ? ( $_GET['key'] ) : ( '' ) ); ?>" />
<input name="key" type="hidden" value="<?php echo $_GET['key']; ?>" />
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<th><?php _e ( 'Username' ); ?></th>
Expand Down

0 comments on commit 07ba827

Please sign in to comment.