Page 1 of 1

CSRF tokens are not cryptographically secure

Posted: Tue Oct 17, 2017 3:20 pm
by cmb
Hi!

It has been noticed that the CSRF tokens generated by CMSimple_XH are not cryptographically secure, and as such do not really fulfill their purpose. This issue has been fixed in CMSimple_XH 1.7.1, so it's best to update to this version. If you're still stuck with CMSimple_XH 1.6 for whatever reason, it is recommended that you apply the patch yourself. However, note that this will only work if you use at least PHP 7.0.0! Unfortunately, there is no easy fix for CMSimple_XH 1.6/PHP 5!

Re: CSRF tokens are not cryptographically secure

Posted: Sat Sep 22, 2018 12:10 pm
by cmss
A question in this content is for the safety of the session ID

I read a code like
...if ($session['HTTP_USER_AGENT] != hash("sha512", $_SERVER['HTTP_USER_AGENT'])) ......

I also read about the hash-salt combination for the password (https://www.webmasterpro.de/coding/arti ... chern.html)

Is there a built in alternative in Cmsimple-xh.

Re: CSRF tokens are not cryptographically secure

Posted: Sat Sep 22, 2018 12:49 pm
by cmb
cmss wrote:
Sat Sep 22, 2018 12:10 pm
I also read about the hash-salt combination for the password (https://www.webmasterpro.de/coding/arti ... chern.html)

Is there a built in alternative in Cmsimple-xh.
This article is crap, since simple hash algos are insufficient for secure password hashes, and equality comparisons of password and hash are susceptible to timing attacks. The simplest good solution for PHP is to use the Password Hashing functions. CMSimple_XH 1.7 provides a shim for PHP ≥ 5.3.7.