Improvements to PHP's mt_rand RNG seeding
|Assignee:||Ryan Gordon||% Done:|
|Reported In MyBB Version:||1.4.11|
All random values generated in MyBB are predictable because PHP's RNG (random number generator) does not generate cryptographically secure random numbers.
For example, new activation code/password is created with mt_rand() and is therefore predictable from the outside (because mt_srand() is also used by MyBB or otherwise seeded internally in PHP)
Because it is predictable an attacker can just reset the password for any account and then login via an aided bruteforce attempt for the password.
Solution is so create our own cryptographically secure random number generator.
#6 Updated by Huji Lee about 3 years ago
- Status changed from Resolved to Feedback
On my installation of MyBB 1.6 on Windows XP with PHP 5.2.6 on Apache, I get blank pages on newreply.php and some other pages with this error:
PHP Fatal error: Call to undefined method com::GetRandom() in F:\\SVN\\MyBB\\trunk\\inc\\functions.php on line 5905
Interestingly, the try..catch is not helping here either.