Page 1 of 1

Warning: 1.9.8 Security Patch

Posted: Fri Nov 29, 2019 10:58 am
by axew3
Since first releases, the integration work with a little bug that release the phpBB_k remember me cookie for phpBB, when login done in WordPress side, with a 16 chars length.
The half of what it should be (32 chars length).

To fix (increase security) this security issue, it is necessary to edit the file
/wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php
into

Code: Select all

private static function phpBB_user_session_set($wp_user_data){
there is this code line (exactly this with '// to k' comment, not the one instruction above on same function code, equal, but used for different scope)

Code: Select all

$key_id_k  = substr($valk, 4, 16); // to k
change into this:

Code: Select all

      $valplus = strtolower( str_shuffle(md5(time()) . '1234567890abcdefghilmnopqrstuvzwxWXKABCDEFGHILMNOPQRSTUVZ') );
      $key_id_k  = str_shuffle(substr($valk, 4, 16) . substr($valplus, 4, 16)); // to k
OR
download patched class.wp.w3all-phpbb.php file here:

https://plugins.trac.wordpress.org/expo ... -phpbb.php
and replace into folder:
/wp-content/plugins/wp-w3all-phpbb-integration/

You could observe that str_shuffle() isn't a reliable secure rand way to generate random strings. As on php7 there are random_bytes and random_int functions that could be used to generate this random string with easy, or any other sort of custom function that could be used to generate random chars sequences. I can assure that in this case that the contest where it is generated assure a secure 32chars random string acceptable result.

To cut the head to the bull, another secondary (but important) security aspect, into 1.9.9 or 2.0.0 will be definitively resolved.
I will may discuss about this security aspect into another topic as soon as a good idea on how to resolve it without overloading things, will come out in mind.

In the while, please, apply as soon you can the above security patch.