Warning: 1.9.8 Security Patch
Posted: Fri Nov 29, 2019 10:58 am
Since first releases, the integration work with a little bug that release the phpBB_k remember me cookie for phpBB, when login done in WordPress side, with a 16 chars length.
The half of what it should be (32 chars length).
To fix (increase security) this security issue, it is necessary to edit the file
/wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php
into
there is this code line (exactly this with '// to k' comment, not the one instruction above on same function code, equal, but used for different scope)
change into this:
OR
download patched class.wp.w3all-phpbb.php file here:
https://plugins.trac.wordpress.org/expo ... -phpbb.php
and replace into folder:
/wp-content/plugins/wp-w3all-phpbb-integration/
You could observe that str_shuffle() isn't a reliable secure rand way to generate random strings. As on php7 there are random_bytes and random_int functions that could be used to generate this random string with easy, or any other sort of custom function that could be used to generate random chars sequences. I can assure that in this case that the contest where it is generated assure a secure 32chars random string acceptable result.
To cut the head to the bull, another secondary (but important) security aspect, into 1.9.9 or 2.0.0 will be definitively resolved.
I will may discuss about this security aspect into another topic as soon as a good idea on how to resolve it without overloading things, will come out in mind.
In the while, please, apply as soon you can the above security patch.
The half of what it should be (32 chars length).
To fix (increase security) this security issue, it is necessary to edit the file
/wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php
into
Code: Select all
private static function phpBB_user_session_set($wp_user_data){
Code: Select all
$key_id_k = substr($valk, 4, 16); // to k
Code: Select all
$valplus = strtolower( str_shuffle(md5(time()) . '1234567890abcdefghilmnopqrstuvzwxWXKABCDEFGHILMNOPQRSTUVZ') );
$key_id_k = str_shuffle(substr($valk, 4, 16) . substr($valplus, 4, 16)); // to k
download patched class.wp.w3all-phpbb.php file here:
https://plugins.trac.wordpress.org/expo ... -phpbb.php
and replace into folder:
/wp-content/plugins/wp-w3all-phpbb-integration/
You could observe that str_shuffle() isn't a reliable secure rand way to generate random strings. As on php7 there are random_bytes and random_int functions that could be used to generate this random string with easy, or any other sort of custom function that could be used to generate random chars sequences. I can assure that in this case that the contest where it is generated assure a secure 32chars random string acceptable result.
To cut the head to the bull, another secondary (but important) security aspect, into 1.9.9 or 2.0.0 will be definitively resolved.
I will may discuss about this security aspect into another topic as soon as a good idea on how to resolve it without overloading things, will come out in mind.
In the while, please, apply as soon you can the above security patch.