Use of a Broken or Risky Cryptographic Algorithm in froxlor/froxlor

Valid

Reported on

Oct 1st 2021

Description

Froxlor uses microtime to seed uniqid which is then hashed to produce a session token, microtime can be reasonably brute-forced/predicted, thus allowing for a relatively large-scale account-takeover attack or accurate targeted ones.

(Both microtime and uniqid are cryptographically insecure.)

Impact

This vulnerability is capable of allowing attackers to take over accounts.

Occurrences

admin_admins.php L132

class.FroxlorInstall.php L410

admin_customers.php L181

DbManager.php L88

DbManager.php L85

index.php L678

We have contacted a member of the froxlor team and are waiting to hear back 2 years ago

Michael Rowley modified the report

2 years ago

A froxlor/froxlor maintainer validated this vulnerability 2 years ago

Michael Rowley has been awarded the disclosure bounty

The fix bounty is now up for grabs

A froxlor/froxlor maintainer marked this as fixed with commit 7feddf 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

class.FroxlorInstall.php#L410 has been validated

index.php#L678 has been validated

DbManager.php#L85 has been validated

admin_customers.php#L181 has been validated

DbManager.php#L88 has been validated

admin_admins.php#L132 has been validated

to join this conversation