From 8fcfc7abfd65ccd920753bee341c6bfdebcecd99 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 31 May 2013 09:29:08 +0200
Subject: use HMAC in password reset token FS#2794

---
 inc/auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc')

diff --git a/inc/auth.php b/inc/auth.php
index af9f35b38..dac67bcb7 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -993,7 +993,7 @@ function act_resendpwd() {
         }
 
         // generate auth token
-        $token = md5(auth_cookiesalt().$user); //secret but user based
+        $token = PassHash::hmac('md5', $user, auth_cookiesalt()); //secret but user based
         $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth';
         $url   = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&');
 
-- 
cgit v1.2.3