[Ltb-users] SSP v1.1-1 on CentOS 6.9 - sendtoken - PHP Parse error - defuse-crypto.phar

Clément OUDOT clem.oudot at gmail.com
Fri Nov 17 10:26:54 CET 2017


2017-11-17 10:13 GMT+01:00 Aleksey Qwerty <russian.qwerty at gmail.com>:
> Hi Clément,
>
> Thank you for prompt response!
>
> I made sure I have $keyphrase set. If I'm not mistaken it's required even
> for basic functionality. Otherwise you will see an error on the main web
> page.
>
> $keyphrase = "testsecret";
>
> After changing $crypt_tokens to false it started working! The next obvious
> question is How safe is that solution? Would you recommend to use it in
> production? If not, should we try to fix the issue with encryption library?
> Please advise.


This is not very risky, as the token is sent in the mail. We crypt it
only to not display the raw PHP session in the mail. The token crypt
is mandatory only if you use the reset by SMS feature.

>
> FYI, I've noticed few minor issue in the log file
> (/var/log/httpd/ssp_error_log) when I opened a link with the token to setup
> a new password:
>
> [Thu Nov 16 22:42:04 2017] [error] [client 192.168.1.100] PHP Notice:
> Undefined variable: source in /usr/share/self-service-password/menu.php on
> line 25
> [Thu Nov 16 22:42:04 2017] [error] [client 192.168.1.100] PHP Notice:
> Undefined variable: source in
> /usr/share/self-service-password/pages/resetbytoken.php on line 213
> [Thu Nov 16 22:42:51 2017] [error] [client 192.168.1.100] PHP Notice:
> Undefined variable: source in /usr/share/self-service-password/menu.php on
> line 25, referer:
> http://testsrv1.example.com/index.php?action=resetbytoken&token=blablablablabla


These are only warnings, nothing to worry about.


Clément.


More information about the ltb-users mailing list