HOR-3433

Fix ProcessMaker User Password Hash Disclosure.
2017-08-09 14:40:02 -04:00
parent b839a247d9
commit 2f3daccd6b
5 changed files with 43 additions and 4 deletions
--- a/workflow/engine/methods/users/usersAjax.php
+++ b/workflow/engine/methods/users/usersAjax.php
@@ -318,7 +318,7 @@ switch ($_POST['action']) {

        require_once 'classes/model/UsersProperties.php';
        $oUserProperty = new UsersProperties();
-        $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($aFields['USR_PASSWORD']))));
+        $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($oUser->getUsrPassword()))));
        $aFields['USR_LOGGED_NEXT_TIME'] = $aUserProperty['USR_LOGGED_NEXT_TIME'];

        if (array_key_exists('USR_PASSWORD', $aFields)) {