Since first releases, the integration work with a little bug that release the
phpBB_k remember me cookie for phpBB, when login done in WordPress side, with a 16 chars length.
The half of what it should be (32 chars length).
To fix (increase security) this security issue, it is necessary to edit the file
/wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php
into
Code: Select all
private static function phpBB_user_session_set($wp_user_data){
there is this code line (exactly this with '// to k' comment, not the one instruction above on same function code, equal, but used for different scope)
Code: Select all
$key_id_k = substr($valk, 4, 16); // to k
change into this:
Code: Select all
$valplus = strtolower( str_shuffle(md5(time()) . '1234567890abcdefghilmnopqrstuvzwxWXKABCDEFGHILMNOPQRSTUVZ') );
$key_id_k = str_shuffle(substr($valk, 4, 16) . substr($valplus, 4, 16)); // to k
download patched class.wp.w3all-phpbb.php file here:
https://plugins.trac.wordpress.org/expo ... -phpbb.php
and replace into folder:
/wp-content/plugins/wp-w3all-phpbb-integration/
You could observe that
str_shuffle() isn't a reliable secure rand way to generate random strings. As on php7 there are
random_bytes and
random_int functions that could be used to generate this random string with easy, or any other sort of custom function that could be used to generate random chars sequences. I can assure that in this case that the contest where it is generated assure a secure 32chars random string acceptable result.
To cut the head to the bull, another secondary (but important) security aspect, into 1.9.9 or 2.0.0 will be definitively resolved.
I will may discuss about this security aspect into another topic as soon as a good idea on how to resolve it without overloading things, will come out in mind.
In the while, please, apply as soon you can the above security patch.
Since first releases, the integration work with a little bug that release the [i]phpBB_k[/i] remember me cookie for phpBB, when login done in WordPress side, with a 16 chars length.
The half of what it should be (32 chars length).
To fix (increase security) this security issue, it is necessary to edit the file
[i]/wp-content/plugins/wp-w3all-phpbb-integration/[b]class.wp.w3all-phpbb.php[/b][/i]
into
[code]private static function phpBB_user_session_set($wp_user_data){[/code]
there is this code line (exactly this with '// to k' comment, not the one instruction above on same function code, equal, but used for different scope)
[code]$key_id_k = substr($valk, 4, 16); // to k[/code]
change into this:
[code] $valplus = strtolower( str_shuffle(md5(time()) . '1234567890abcdefghilmnopqrstuvzwxWXKABCDEFGHILMNOPQRSTUVZ') );
$key_id_k = str_shuffle(substr($valk, 4, 16) . substr($valplus, 4, 16)); // to k
[/code]
[size=150][b]OR[/b]
download patched [b]class.wp.w3all-phpbb.php[/b] file here:[/size]
[url]https://plugins.trac.wordpress.org/export/HEAD/wp-w3all-phpbb-integration/trunk/class.wp.w3all-phpbb.php[/url]
and replace into folder:
[i][b]/wp-content/plugins/wp-w3all-phpbb-integration/[/b][/i]
You could observe that [i]str_shuffle()[/i] isn't a reliable secure rand way to generate random strings. As on php7 there are [i]random_bytes[/i] and [i]random_int[/i] functions that could be used to generate this random string with easy, or any other sort of custom function that could be used to generate random chars sequences. I can assure that in this case that the contest where it is generated assure a secure 32chars random string acceptable result.
To cut the head to the bull, another secondary (but important) security aspect, into 1.9.9 or 2.0.0 will be definitively resolved.
I will may discuss about this security aspect into another topic as soon as a good idea on how to resolve it without overloading things, will come out in mind.
In the while, please, apply as soon you can the above security patch.