cuongpv/faveo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generating distinct APP_KEY on installation

Browse Source 
As the app is not generating the new APP_KEY for each installation each faveo installation share the same key to encrypt and decrypt. Since data encrypted from one installation can easily be used on another instance it makes system vulnerable to expose sensative data from the system and RCE vai deserialized payload
This commit is contained in:
Manish Verma
2021-02-03 15:39:20 +05:30
parent e422a3b9eb
commit 929d4a8b40
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Http/Controllers/Installer/helpdesk/InstallController.php
View File

@@ -427,6 +427,7 @@ class InstallController extends Controller
$ENV['APP_DEBUG'] = 'false';
$ENV['APP_BUGSNAG'] = 'true';
$ENV['APP_URL'] = url('/');
$ENV['APP_KEY'] = "base64:h3KjrHeVxyE+j6c8whTAs2YI+7goylGZ/e2vElgXT6I=";
$ENV['DB_TYPE'] = $default;
$ENV['DB_HOST'] = '"'.$host.'"';
$ENV['DB_PORT'] = '"'.$port.'"';
@@ -559,6 +560,7 @@ class InstallController extends Controller
{
$env = base_path().DIRECTORY_SEPARATOR.'.env';
if (is_file($env)) {
Artisan::call('key:generate', ['--force' => true]);
$txt = 'DB_INSTALL=1';
$txt1 = 'APP_ENV=production';
file_put_contents($env, $txt.PHP_EOL, FILE_APPEND | LOCK_EX);