Skip to content

Commit

Permalink
Merge pull request #410 from HarryR/droppleganger
Browse files Browse the repository at this point in the history
Protect against DroppleGanger Auth-Bypass exploit
  • Loading branch information
johnroper100 authored Nov 4, 2016
2 parents 553d283 + a8e3a91 commit adcb8af
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 13 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/config.php
1 change: 1 addition & 0 deletions cache/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
*
25 changes: 12 additions & 13 deletions dropplets/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,19 @@
$verification_file = "./verify.php";

// If verified, allow a password reset.
if (!isset($_GET["verify"])) {
if (isset($_GET["verify"])) {

require($verification_file);

if ($_GET["verify"] === $verification_code) {
$_SESSION["user"] = true;
unlink($verification_file);
} else {
$login_error = "That's not the correct recovery code!";
}
}
else {
// Generate verification token and send e-mail
$code = sha1(md5(rand()));

$verify_file_contents[] = "<?php";
Expand All @@ -70,18 +81,6 @@

mail($blog_email, $blog_title . " - Recover your Dropplets Password", $message, implode("\r\n", $headers));
$login_error = "Details on how to recover your password have been sent to your email.";

// If not verified, display a verification error.
} else {

include($verification_file);

if ($_GET["verify"] == $verification_code) {
$_SESSION["user"] = true;
unlink($verification_file);
} else {
$login_error = "That's not the correct recovery code!";
}
}
break;

Expand Down

0 comments on commit adcb8af

Please sign in to comment.