app shop
osCommerce Online Merchant v2.3.2
osCommerce Online Merchant v2.3.2 is a security improvement release which improves the customer password forgotten routine and generation of random strings.
Previously, the customer password forgotten routine would automatically generate a random password and e-mail it to the customer. The code was based on tep_create_random_value(), the PHP mt_rand() function, and a weak seeding of the random number generator. Now, tep_create_random_value() uses Phpass' stronger get_random_bytes() method to generate random strings, and the customer password forgotten routine e-mails a personal link to the customer and gives them 24 hours to change their password. If they do not, they can continue to use their existing password and their personal password reset link is discarded.
The customer password forgotten routine is also now protected with a new Customer Password Reset Action Recorder module which, by default, limits the generation of personal password reset links to once every 5 minutes.
Changes
The following changes are included in this release:
- Changed customer password forgotten feature to e-mail a personal link to the customer where they can change their password up to 24 hours, instead of directly changing the password to a random string and e-mailing it to the customer.
Added new password_reset.php page to manage personal password reset links.
Added new ar_password_reset.php Action Recorder module to log and limit the request of personal password reset links to once every 5 minutes - Improve logic of tep_create_random_value() by using Phpass' random number generator.
If function parameter $type is not 'mixed', 'chars', or 'digits', return a 'mixed' string instead of false. - Add openssl_random_pseudo_bytes() and mcrypt_create_iv() to Phpass' get_random_bytes() class method. These are used if /dev/urandom is not available.
- Only seed the random number generator if PHP < 4.2 is used.
Upgrade from v2.3.1 to v2.3.2
A detailed upgrade guide is available online at:
Download
Full and Update Packages of osCommerce Online Merchant v2.3.2 can be downloaded at:
https://www.oscommerce.com/solutions/downloads
Acknowledgements
We'd like to thank Gary Burton and George Zarkadas for testing and reviewing the upgrade guide, and George Argyros and Aggelos Kiayias for bringing the issue of insecure random number generators to our attention.