From d5356a81c132fbb8f9460420584b578fa2ed6711 Mon Sep 17 00:00:00 2001
From: Anonymous Contributor <anonymous@invalid>
Date: Wed, 23 Aug 2023 18:16:34 +0200
Subject: [PATCH] Do not store salt when generating new password

---
 pages/users.php | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pages/users.php b/pages/users.php
index 9b8e9bf..2565b01 100644
--- a/pages/users.php
+++ b/pages/users.php
@@ -17,15 +17,11 @@
 
     if(@$_REQUEST['action'] == 'genpw' && @$_REQUEST['userid'] != '')
     {
-        $SALT   =   md5(rand(1111, 9999));
         $NEWPW  =   generateRandomString(10);
 
         $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); 
         $statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);
 
-        $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); 
-        $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
-
         $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>'); 
     }