The half of what it should be (32 chars length).
To fix (increase security) this security issue, it is necessary to edit the file
/wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php
into
Code: Select all
private static function phpBB_user_session_set($wp_user_data){
Code: Select all
$key_id_k = substr($valk, 4, 16); // to k
Code: Select all
$valplus = strtolower( str_shuffle(md5(time()) . '1234567890abcdefghilmnopqrstuvzwxWXKABCDEFGHILMNOPQRSTUVZ') );
$key_id_k = str_shuffle(substr($valk, 4, 16) . substr($valplus, 4, 16)); // to k
download patched class.wp.w3all-phpbb.php file here:
https://plugins.trac.wordpress.org/expo ... -phpbb.php
and replace into folder:
/wp-content/plugins/wp-w3all-phpbb-integration/
You could observe that str_shuffle() isn't a reliable secure rand way to generate random strings. As on php7 there are random_bytes and random_int functions that could be used to generate this random string with easy, or any other sort of custom function that could be used to generate random chars sequences. I can assure that in this case that the contest where it is generated assure a secure 32chars random string acceptable result.
To cut the head to the bull, another secondary (but important) security aspect, into 1.9.9 or 2.0.0 will be definitively resolved.
I will may discuss about this security aspect into another topic as soon as a good idea on how to resolve it without overloading things, will come out in mind.
In the while, please, apply as soon you can the above security patch.