Use of a Broken or Risky Cryptographic Algorithm in froxlor/froxlor


Reported on

Oct 1st 2021


Froxlor uses microtime to seed uniqid which is then hashed to produce a session token, microtime can be reasonably brute-forced/predicted, thus allowing for a relatively large-scale account-takeover attack or accurate targeted ones.

(Both microtime and uniqid are cryptographically insecure.)


This vulnerability is capable of allowing attackers to take over accounts.

We have contacted a member of the froxlor team and are waiting to hear back a year ago
Michael Rowley modified the report
a year ago
froxlor/froxlor maintainer validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
froxlor/froxlor maintainer confirmed that a fix has been merged on 7feddf a year ago
The fix bounty has been dropped
index.php#L678 has been validated
DbManager.php#L85 has been validated
admin_customers.php#L181 has been validated
DbManager.php#L88 has been validated
admin_admins.php#L132 has been validated
to join this conversation