Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible way to brick a working Installation - changeAESKey.php #3

Closed
olia-dev opened this issue Jan 7, 2018 · 1 comment
Closed

Possible way to brick a working Installation - changeAESKey.php #3

olia-dev opened this issue Jan 7, 2018 · 1 comment
Assignees
@olia-dev
Labels
bug fixed

Comments

@olia-dev
Copy link
Owner

olia-dev commented Jan 7, 2018

The file 'changeAESKey.php' can be called via direct link and can brick a working Installation of this plugin.

Executing it will decrypt all stored passwords in the Database with a false AES key and re-encrypt those passwords with the same false key and store them in a Database.
At no point it actually leaks any stored information, it just forces users to reenter their stored passwords.

Solution: Remove the file 'changeAESKey.php' and release a new build with an empty 'changeAESKey.php' file to make sure it gets overwritten.
@olia-dev olia-dev self-assigned this Jan 7, 2018
olia-dev added a commit that referenced this issue Jan 7, 2018
@olia-dev
fixed issue #3
e206350
olia-dev added a commit that referenced this issue Jan 7, 2018
@olia-dev
Merge pull request #4 from olia-dev/issue_3
a3bce86 
fixed issue #3
@olia-dev
Copy link
Owner Author

olia-dev commented Jan 7, 2018

fixed

thanks to: Andreas Brodowski (aka dw2412) for making me aware of this bug.

@olia-dev olia-dev closed this as completed Jan 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@olia-dev olia-dev

Labels
bug fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@olia-dev