Open adiakeka opened 2 years ago
I believe there's brute force attack vulnerability when we set the password
One protection is to add Google Re-Captcha (I use V2). Here's how to add it ( I also add submit button at the bottom )
On line 27-36, from this
if(!$_SESSION['_sfm_allowed']) { // sha1, and random bytes to thwart timing attacks. Not meant as secure hashing. $t = bin2hex(openssl_random_pseudo_bytes(10)); if($_POST['p'] && sha1($t.$_POST['p']) === sha1($t.$PASSWORD)) { $_SESSION['_sfm_allowed'] = true; header('Location: ?'); } echo '<html><body><form action=? method=post>PASSWORD:<input type=password name=p autofocus/></form></body></html>'; exit; }
change it into this
if(!$_SESSION['_sfm_allowed']) { // sha1, and random bytes to thwart timing attacks. Not meant as secure hashing. if(isset($_POST['g-recaptcha-response'])){ $captcha=$_POST['g-recaptcha-response']; } $secretKey = "Your Secret Key Here"; $url = 'https://www.google.com/recaptcha/api/siteverify?secret=' . urlencode($secretKey) . '&response=' . urlencode($captcha); $response = file_get_contents($url); $responseKeys = json_decode($response,true); $t = bin2hex(openssl_random_pseudo_bytes(10)); if($_POST['p'] && sha1($t.$_POST['p']) === sha1($t.$PASSWORD)) { if($responseKeys["success"]) { $_SESSION['_sfm_allowed'] = true; header('Location: ?'); } } echo '<html><script src="https://www.google.com/recaptcha/api.js" async defer></script><body><form action=? method=post>PASSWORD:<input type=password name=p autofocus/><div class="g-recaptcha" data-sitekey="Your Site Key Here"></div><input type="submit" value="Submit"></form></body></html>'; exit; }
Edit: Using code tag to prevent code being cropped
I believe there's brute force attack vulnerability when we set the password
One protection is to add Google Re-Captcha (I use V2). Here's how to add it ( I also add submit button at the bottom )
On line 27-36, from this
change it into this
Edit: Using code tag to prevent code being cropped