From 929d4a8b40d4662a19f766270b32148c07b8dadf Mon Sep 17 00:00:00 2001
From: Manish Verma <alerts@ladybirdweb.com>
Date: Wed, 3 Feb 2021 15:39:20 +0530
Subject: [PATCH] Generating distinct APP_KEY on installation

As the app is not generating the new APP_KEY for each installation each faveo installation share the same key to encrypt and decrypt. Since data encrypted from one installation can easily be used on another instance it makes system vulnerable to expose sensative data from the system and RCE vai deserialized payload
---
 app/Http/Controllers/Installer/helpdesk/InstallController.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/Http/Controllers/Installer/helpdesk/InstallController.php b/app/Http/Controllers/Installer/helpdesk/InstallController.php
index 3d19e03b1..8619d6283 100644
--- a/app/Http/Controllers/Installer/helpdesk/InstallController.php
+++ b/app/Http/Controllers/Installer/helpdesk/InstallController.php
@@ -427,6 +427,7 @@ class InstallController extends Controller
         $ENV['APP_DEBUG'] = 'false';
         $ENV['APP_BUGSNAG'] = 'true';
         $ENV['APP_URL'] = url('/');
+        $ENV['APP_KEY'] = "base64:h3KjrHeVxyE+j6c8whTAs2YI+7goylGZ/e2vElgXT6I=";
         $ENV['DB_TYPE'] = $default;
         $ENV['DB_HOST'] = '"'.$host.'"';
         $ENV['DB_PORT'] = '"'.$port.'"';
@@ -559,6 +560,7 @@ class InstallController extends Controller
     {
         $env = base_path().DIRECTORY_SEPARATOR.'.env';
         if (is_file($env)) {
+            Artisan::call('key:generate', ['--force' => true]);
             $txt = 'DB_INSTALL=1';
             $txt1 = 'APP_ENV=production';
             file_put_contents($env, $txt.PHP_EOL, FILE_APPEND | LOCK_EX);