Use of a Broken or Risky Cryptographic Algorithm in froxlor/froxlor

Valid

Reported on

Oct 1st 2021


Description

Froxlor uses microtime to seed uniqid which is then hashed to produce a session token, microtime can be reasonably brute-forced/predicted, thus allowing for a relatively large-scale account-takeover attack or accurate targeted ones.

(Both microtime and uniqid are cryptographically insecure.)

Impact

This vulnerability is capable of allowing attackers to take over accounts.

We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
Michael Rowley modified their report
2 months ago
froxlor/froxlor maintainer validated this vulnerability 2 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
froxlor/froxlor maintainer confirmed that a fix has been merged on 7feddf 2 months ago
The fix bounty has been dropped
index.php#L678 has been validated
DbManager.php#L85 has been validated
admin_customers.php#L181 has been validated
DbManager.php#L88 has been validated
admin_admins.php#L132 has been validated