Possible bug in GetUserScratchPasswordsArray

Recommend this page to a friend!

      multiOTP PHP class  >  All threads  >  Possible bug in...  >  (Un) Subscribe thread alerts  
Subject:Possible bug in...
Summary:GetUserScratchPasswordsArray returns empty string
Messages:2
Author:Sean Butler-Lee
Date:2013-09-20 15:01:47
Update:2013-09-22 22:10:12
 

  1. Possible bug in...   Reply   Report abuse  
Sean Butler-Lee - 2013-09-20 15:01:47
I think I've found a security hole in GetUserScratchPasswordsArray. If run for a user with no scratch passwords, instead of returning an empty array, it returns an empty string. When the CheckToken function does a ForEach over the output from this function, it ends up authenticating a blank password as valid.

I've fixed this in my copy by replacing GetUserScratchPasswordsArray with the following:


function GetUserScratchPasswordsArray($user = '')
{
if ('' != $user)
{
$this->SetUser($user);
}
if ($this->_user_data['scratch_passwords'] != '') {
return (explode(",",$this->_user_data['scratch_passwords']));
} else {
return array();
}
}

  2. Re: Possible bug in...   Reply   Report abuse  
André Liechti - 2013-09-22 22:10:12 - In reply to message 1 from Sean Butler-Lee
Yes, thanks, it has been corrected.
Best regards,
Andre

 

For more information send a message to info at phpclasses dot org.