Phone Club game online,Jilivip 02 apk download.REGISTER NOW GET FREE 888 PESOS REWARDS!

Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)

Forum: Plugins
In reply to: [Orion Login with SMS] Security Concern (ClickATell, ClickSend)

Thread Starter DarkSoroush
(@darksoroush)

4 years, 8 months ago

@tobifjellner, Sorry about that, but I am not familiar with the WordPress forums. Is there a way to mark a topic as Security Related so that it is only visible to the author or one like me needs to find another way to contact the plugin developer? Because that wouldn’t be very convenient, to be honest.

Forum: Plugins
In reply to: [Orion Login with SMS] Security Concern (ClickATell, ClickSend)
Thread Starter DarkSoroush
(@darksoroush)

4 years, 8 months ago
This code is also vulnerable to reply attack. In other words, having a combination of [hash-pin] allows a malicious actor to log in multiple times indefinitely. A way to lessen the effect of this is to define a rolling window that passively expires the hash code. Check the following:

To generate hash:
```
private function olws_rolling_window($offset = 0) {
	$window_size = 60 * 5;
	return ((int) floor(time() / $window_size)) + $offset;
}

private function olws_generate_otp_hash( $country_code, $phone, $otp, $window = false) {
	if (!$window) {
		$window = $this->olws_rolling_window();
	}

	$mobile_number = $country_code . $phone;

	$str_mobile = strval( trim( $mobile_number ) );
	$str_otp    = strval( trim( $otp ) );
	$hash       = md5(md5(md5($str_mobile . $str_otp) . $window) . wp_salt());
	return $hash;
}
```
To verify hash:
```
if ($ref_id !== '') {
	for ($i = -1; $i <= 1; $i++) {
		$window = $this->olws_rolling_window($i);
		$new_hash = $this->olws_generate_otp_hash($country_code, $phone, $otp, $window);
		if ($new_hash === $ref_id) {
			$success = true;
			break;
		}
	}
}

$invalid_otp = !$success;
```
This can and should be improved by at least keeping the last hash as a user meta information so that it can not be used more than once. But that required more changes to the main class and I was reluctant to do so. This plugin, however, must absolutely take care of this.
- This reply was modified 4 years, 8 months ago by DarkSoroush.
Forum: Plugins
In reply to: [Orion Login with SMS] Security Concern (ClickATell, ClickSend)

Thread Starter DarkSoroush
(@darksoroush)

4 years, 9 months ago

Sorry @jdembowski, I thought that the button reports this topic to the plugin developer and hopped to gain attention by a notification or an email. I didn’t expect it to reach the WordPress moderators.

Forum: Plugins
In reply to: [WooCommerce] Polylang and Rest API

Thread Starter DarkSoroush
(@darksoroush)

9 years, 1 month ago

I want to be able to get the list of all products and the possibility of editing the product without worrying about the language of the content.

Viewing 4 replies - 1 through 4 (of 4 total)