github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-14 10:37:39 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix for "Broken or Risky Cryptographic Algorithm"

Browse source 
Fix for reflected XSS vulnerability, found by Brian Semrau
This commit is contained in:
Anton Reutov 2021-08-16 14:59:41 +03:00 committed by GitHub
commit 6225820910
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
web/login/index.php
View file

@ -112,7 +112,7 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
}
// Regenerate session id to prevent session fixation
session_regenerate_id();
session_regenerate_id(true);
// Redirect request to control panel interface
if (!empty($_SESSION['request_uri'])) {
@ -158,7 +158,8 @@ if (empty($_SESSION['language'])) {
}
// Generate CSRF token
$_SESSION['token'] = md5(uniqid(mt_rand(), true));
$token = bin2hex(file_get_contents('/dev/urandom', false, null, 0, 16));
$_SESSION['token'] = $token;
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
require_once('../templates/header.html');