From: Operating system: all PHP version: 5.3.2 Package: *Encryption and hash functions Bug Type: Bug Bug description:LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs
Description: ------------ PHP utilizes a cryptographically weak random number generator to produce session ID information. Additionally, not enough entropy is used for the initial seeding of the RNG, and some of the entropy can leak by careless use of the uniqid() PHP function. Under certain circumstances, these individual weaknesses interact and reduce the number of possible values of a PHP session ID so much that exhaustive search for a valid session ID against the web server becomes feasible. I suggest to make sure that a cryptographically secure RNG is used for session ID generation, sufficient entropy is used to seed the RNG, and to change the uniqid() function to always return a hashed value. A complete discussion of why I think the code is vulnerable, including estimates on the attack effort, is available from http://berlin.ccc.de/~andreas/php-entropy-advisory.txt -- Edit bug report at http://bugs.php.net/bug.php?id=51436&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=51436&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=51436&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=51436&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=51436&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=51436&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=51436&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=51436&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=51436&r=needscript Try newer version: http://bugs.php.net/fix.php?id=51436&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=51436&r=support Expected behavior: http://bugs.php.net/fix.php?id=51436&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=51436&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=51436&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=51436&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51436&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=51436&r=dst IIS Stability: http://bugs.php.net/fix.php?id=51436&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=51436&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=51436&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=51436&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=51436&r=mysqlcfg
