From d02648bed2358651a7ad92d40e8cdca753edda9b Mon Sep 17 00:00:00 2001 From: mimrock <lados.denes@gmail.com> Date: Thu, 21 Oct 2021 23:06:03 +0200 Subject: [PATCH 1/4] Use hmac for message authentication --- phpThumb.config.php.default => phpThumb.config.php.default.php | 2 +- phpThumb.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename phpThumb.config.php.default => phpThumb.config.php.default.php (99%) diff --git a/phpThumb.config.php.default b/phpThumb.config.php.default.php similarity index 99% rename from phpThumb.config.php.default rename to phpThumb.config.php.default.php index 2f26aed..1cf5a0f 100644 --- a/phpThumb.config.php.default +++ b/phpThumb.config.php.default.php @@ -273,5 +273,5 @@ function phpThumbURL($ParameterString, $path_to_phpThumb='phpThumb.php') { } } $ParameterString = implode($PHPTHUMB_CONFIG['high_security_url_separator'], $ParamterStringEncodedArray); - return $path_to_phpThumb.'?'.$ParameterString.$PHPTHUMB_CONFIG['high_security_url_separator'].'hash='.md5($ParameterString.$PHPTHUMB_CONFIG['high_security_password']); + return $path_to_phpThumb.'?'.$ParameterString.$PHPTHUMB_CONFIG['high_security_url_separator'].'hash='.hash_hmac('sha256', $ParameterString, $PHPTHUMB_CONFIG['high_security_password']); } diff --git a/phpThumb.php b/phpThumb.php index 8e02199..83569c4 100644 --- a/phpThumb.php +++ b/phpThumb.php @@ -207,7 +207,7 @@ function RedirectToCachedFile() { } elseif (phpthumb_functions::PasswordStrength($phpThumb->config_high_security_password) < 20) { $phpThumb->config_disable_debug = false; // otherwise error message won't print $phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough'); - } elseif ($_GET['hash'] != md5(str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) { + } elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) { header('HTTP/1.0 403 Forbidden'); sleep(10); // deliberate delay to discourage password-guessing $phpThumb->ErrorImage('ERROR: invalid hash'); From 82535e9a8c1f009684718572e00573c6906d5127 Mon Sep 17 00:00:00 2001 From: mimrock <lados.denes@gmail.com> Date: Thu, 21 Oct 2021 23:06:26 +0200 Subject: [PATCH 2/4] Do not sleep after a failed verification --- phpThumb.php | 1 - 1 file changed, 1 deletion(-) diff --git a/phpThumb.php b/phpThumb.php index 83569c4..97c9ad4 100644 --- a/phpThumb.php +++ b/phpThumb.php @@ -209,7 +209,6 @@ function RedirectToCachedFile() { $phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough'); } elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) { header('HTTP/1.0 403 Forbidden'); - sleep(10); // deliberate delay to discourage password-guessing $phpThumb->ErrorImage('ERROR: invalid hash'); } } From 5fd133d990238c339f6b70747dcb973c67426612 Mon Sep 17 00:00:00 2001 From: mimrock <lados.denes@gmail.com> Date: Fri, 22 Oct 2021 00:06:52 +0200 Subject: [PATCH 3/4] Revert filerename --- phpThumb.config.php.default.php => phpThumb.config.php.default | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename phpThumb.config.php.default.php => phpThumb.config.php.default (100%) diff --git a/phpThumb.config.php.default.php b/phpThumb.config.php.default similarity index 100% rename from phpThumb.config.php.default.php rename to phpThumb.config.php.default From f320562fa58de3ed3ffaab43f6ba9c0d7c39a8a4 Mon Sep 17 00:00:00 2001 From: mimrock <lados.denes@gmail.com> Date: Fri, 22 Oct 2021 00:21:31 +0200 Subject: [PATCH 4/4] Fix missing key --- phpThumb.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpThumb.php b/phpThumb.php index 97c9ad4..3a83909 100644 --- a/phpThumb.php +++ b/phpThumb.php @@ -207,7 +207,7 @@ function RedirectToCachedFile() { } elseif (phpthumb_functions::PasswordStrength($phpThumb->config_high_security_password) < 20) { $phpThumb->config_disable_debug = false; // otherwise error message won't print $phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough'); - } elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) { + } elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']), $phpThumb->config_high_security_password)) { header('HTTP/1.0 403 Forbidden'); $phpThumb->ErrorImage('ERROR: invalid hash'); }