ID: 31453
Comment by: php at richardneill dot org
Reported By: cdturri at hotmail dot com
Status: Open
Bug Type: Arrays related
Operating System: Windows 2000 Advanced Server SP4
PHP Version: 5.0.3
New Comment:
This is a rather nasty security bug, with which someone successfully
attacked my website. The default passwords were generated by
concatenating 2 random words from the dictionary, yet the function
(which has worked fine for 3 years) suddenly started to produce exactly
the same result every time!
The bug occurs in this version of PHP (Mandrake's most recent stable
package): PHP 4.3.4 (cli) (built: Dec 16 2004 18:39:58); but not in the
cooker package (PHP 4.3.10 (cli) (built: Dec 16 2004 15:44:17). The bug
occues in both php-cli and running under apache2-2.0.48-6.8.100mdk.
Here's my code, which illustrates this bug under Mandrake 10.1:
<?
$letters=array("alpha","beta", "gamma", "delta", "epsilon", "zeta",
"eta", "theta", "iota", "kappa", "lambda", "mu", "nu", "xi");
$rand_keys = array_rand ($letters, 2);
$word1= $letters[$rand_keys[0]];
$word2= $letters[$rand_keys[1]];
echo "The following line SHOULD be different every time! In
php-cli-4.3.4-4.3.100mdk, this is NOT true! 'zetanu' occurs every
time.\n";
echo "$word1$word2\n";
?>
Adding in an srand() will fix it, but mt_srand() will not. However,
neither of these were necessary for the last 3 years, and so I imagine
this bug will cause security problems for other people.
Previous Comments:
------------------------------------------------------------------------
[2005-01-09 15:04:01] cdturri at hotmail dot com
Description:
------------
Hi guys,
array_rand() is not returning random values in my scripts. I am using a
multidimension array that is being loaded from an INI file with
@parse_ini_file(). Tested under Apache v2.0.52/PHP v5.0.3 on Windows
2000 Advanced Server and a CVS build (php5-win32-200501071130.zip)
under Windows as well. Bug appears on both. I don't have a Unix system
to test it under PHP 5 (shame on me!) but the problem does NOT occur
under Unix/Apache v 1.3.33/PHP v4.3.9.
Calling srand() to seed the random number generator seems to fix the
problem but the PHP manual clearly says that:
"Note: As of PHP 4.2.0, there is no need to seed the random number
generator with srand() or mt_srand() as this is now done
automatically."
(http://ie2.php.net/manual/en/function.array-rand.php)
mt_rand(), rand() and mt_srand() also contain notes saying that seeding
is not required before calling them.
Found several related bugs, but this one mentions the same issue:
http://bugs.php.net/bug.php?id=26290
[17 Nov 2003 2:12pm CET] [EMAIL PROTECTED]
You forgot to call srand() to generate random key. Hence the lack of
random data.
[17 Nov 2003 2:25pm CET] [EMAIL PROTECTED]
Incorrect documentaion I'm afraid.
So, it is one or the other. Either the documentation is wrong or the
function is not properly calling seeding the random number generator.
Could anyone please have a look?
Thanks for looking at this bug.
Regards,
Christian
Reproduce code:
---------------
I am using this code to verify the bug:
<?php
$multiarray = @parse_ini_file('cache.ini',true);
for($i=0;$i<100;$i++){
$rand_key = array_rand($multiarray);
print $rand_key . '<br>';
if ($i == 1) {
$first_item = $rand_key;
}
if ($first_item == $rand_key) {
echo '<br>';
}
}
?>
You can see the bug at:
http://www.turribeach.com.ar/downloads/test.php
You can download the INI file I am using and the test.php from:
http://www.turribeach.com.ar/downloads/PHP_Test.zip
Expected result:
----------------
A random key from the INI file.
Actual result:
--------------
A key but that it is not random, it is a subset of the original key
array.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31453&edit=1
