Commit c2e808cc authored by Florian Schlichting's avatar Florian Schlichting

Disallow current time as a session key (fix: #19, CVE-2020-11728)

We never set a cookie with the (md5 of the) current time as session key,
so there's no need to allow logging in with this brute-force guessable
value.
parent 535505c9
......@@ -173,9 +173,9 @@ class Session
else {
$sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
}
$sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
$sql .= " WHERE session.session_id = ? AND session.session_key = ? ORDER BY session.session_start DESC LIMIT 2";
$qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
$qry = new AwlQuery($sql, $session_id, $session_key);
if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
$this->AssignSessionDetails( $qry->Fetch() );
$qry = new AwlQuery('UPDATE session SET session_end = current_timestamp WHERE session_id=?', $session_id);
......@@ -384,9 +384,9 @@ class Session
else {
$sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
}
$sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
$sql .= " WHERE session.session_id = ? AND session.session_key = ? ORDER BY session.session_start DESC LIMIT 2";
$qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
$qry = new AwlQuery($sql, $session_id, $session_key);
if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
$this->AssignSessionDetails( $qry->Fetch() );
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment