Bug #843

Improvements to PHP's mt_rand RNG seeding

Added by Ryan Gordon about 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:04/03/2010
Priority:NormalDue date:
Assignee:Ryan Gordon% Done:

100%

Category:-
Target version:-
Reproducibility:Rarely SQA assignments:
Reported In MyBB Version:1.4.11

Description

All random values generated in MyBB are predictable because PHP's RNG (random number generator) does not generate cryptographically secure random numbers.

For example, new activation code/password is created with mt_rand() and is therefore predictable from the outside (because mt_srand() is also used by MyBB or otherwise seeded internally in PHP)
Because it is predictable an attacker can just reset the password for any account and then login via an aided bruteforce attempt for the password.

Solution is so create our own cryptographically secure random number generator.

Related issues

Related to MyBB Merge System - Bug #847: mt_rand to my_rand in Merge System Closed 04/04/2010

History

#1 Updated by Ryan Gordon about 3 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

Applied in changeset r4851.

#2 Updated by Ryan Gordon about 3 years ago

Applied in changeset r4864.

#3 Updated by Ryan Gordon about 3 years ago

Applied in changeset r4865.

#4 Updated by Ryan Gordon about 3 years ago

Applied in changeset r4868.

#5 Updated by Ryan Gordon about 3 years ago

  • Target version changed from 1.6.0 Beta to 1.4.12

#6 Updated by Huji Lee about 3 years ago

  • Status changed from Resolved to Feedback

On my installation of MyBB 1.6 on Windows XP with PHP 5.2.6 on Apache, I get blank pages on newreply.php and some other pages with this error:

PHP Fatal error: Call to undefined method com::GetRandom() in F:\\SVN\\MyBB\\trunk\\inc\\functions.php on line 5905

Interestingly, the try..catch is not helping here either.

#7 Updated by Ryan Gordon about 3 years ago

  • Status changed from Feedback to Resolved

You're setup is screwed. It's definately a bug in PHP, not MyBB. I'm not going to worry about it here.

#8 Updated by Dennis Tsang about 3 years ago

  • Status changed from Resolved to Feedback

There are some issues with this fix.

#9 Updated by Ryan Gordon about 3 years ago

  • Status changed from Feedback to Resolved

#10 Updated by Ryan Gordon about 3 years ago

  • Project changed from MyBB to Security Issues
  • Category deleted (Other)
  • Target version deleted (1.4.12)

#11 Updated by Ryan Gordon about 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF