Patch insecure CSRF token crypto vulnerability #1164
Conversation
|
Thank you @Arinerron :) |
|
uhhh, looks like you used undefined function... panel is now broken...
I must revert this. @Arinerron, it would be nice if you setup virtualbox and install Vesta, then you can test your code before you send push requests, cheers :) |
Reverting #1164, because undefined function is used
|
@dpeca Ugh, sorry. You need the OpenSSL PHP module: http://us3.php.net/manual/en/book.openssl.php It says it come with PHP >=5.3.0, PHP 7 by default. http://php.net/manual/en/function.openssl-random-pseudo-bytes.php |
|
I think VestaCP has its own seperated PHP parser - /usr/local/vesta/php/bin/php Only @serghey-rodin can rebuild it. |
|
Should be rechecked by Sergey Rodin or Dmitry Naumov-Socolov |
|
This pull request was merged but reverted. The issue still exists in |
I noticed that CSRF tokens are not using a cryptographically secure pseudorandom number generator. An attacker could potentially "guess" the CSRF token, allowing them to control vesta. The current algorithm for generating CSRF tokens is
md5(uniqid(mt_rand(), true)), but it should use an algorithm that is considered cryptographically secure (for example, bin2hex(openssl_random_pseudo_bytes(32)) or bytes from /dev/urandom).This pull request simply replaces the insecure crypto with the secure function.
To test if the code worked, I made this little script:
The output is something like:
The insecure algorithm (being used now) generates tokens like this:
Same length, just more secure. Here's a stackoverflow post about it: http://stackoverflow.com/a/2595372
Also,
http://php.net/manual/en/function.mt-rand.php
http://php.net/manual/en/function.rand.php
If you scroll down on either of those documentation pages, you'll see the warning about how it does not generate cryptographically secure values.
Thanks!