Use of a Broken or Risky Cryptographic Algorithm in froxlor/froxlor


Reported on

Oct 1st 2021


Froxlor uses microtime to seed uniqid which is then hashed to produce a session token, microtime can be reasonably brute-forced/predicted, thus allowing for a relatively large-scale account-takeover attack or accurate targeted ones.

(Both microtime and uniqid are cryptographically insecure.)


This vulnerability is capable of allowing attackers to take over accounts.

We have contacted a member of the froxlor team and are waiting to hear back 2 years ago
Michael Rowley modified the report
2 years ago
froxlor/froxlor maintainer validated this vulnerability 2 years ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
froxlor/froxlor maintainer marked this as fixed with commit 7feddf 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
index.php#L678 has been validated
DbManager.php#L85 has been validated
admin_customers.php#L181 has been validated
DbManager.php#L88 has been validated
admin_admins.php#L132 has been validated
to join this conversation