This must be a joke
-
function yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key){ <strong>$url="https://api.yubico.com/wsapi/verify?id=".$yubico_api_id."&otp=".$otp;</strong> $ch = curl_init($url); curl_setopt($ch, CURLOPT_USERAGENT, "Wordpress Yubikey OTP login plugin"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $response = trim(curl_exec($ch)); curl_close($ch); if (yubikey_verify_hmac($response,$yubico_api_key)) { if(!preg_match("/status=([a-zA-Z0-9_]+)/", $response, $result)) { return false; } <strong>if ($result[1]=='OK') {</strong> return true; } } return false; }An
- unencrypted
- unauthenticated
- unsigned
response of “OK” is what users should base security assumptions on?
C’mon.
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘This must be a joke’ is closed to new replies.
