News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Openwall.com:
php_mt_seed went beyond PoC (mt_rand seed cracker)
November 05, 2013 @ 12:49:12

As Openwall.com has reported, a flaw has been found in PHP's mt_rand functionality that allows the prediction of the result with just some of the other results.

With the functionality added in October, our php_mt_seed PHP mt_rand() seed cracker is no longer just a proof-of-concept, but is a tool that may actually be useful, such as for penetration testing. It is now a maintained project with its own homepage: http://www.openwall.com/php_mt_seed/.

They include a bit of illustration code showing how the see cracker works - generating 10 "random" numbers between 0 and 9. An example of running the "php_mt_seed" command against these values is shown along with the time to crack (just under 20 seconds). There's also an example of cracking when you don't know all 10 numbers in the sequence too. This further reinforces the best practice of not using mt_rand when you need strong random numbers for the security related functionality of your application (something like openssl_random_pseudo_bytes is a much better option).

0 comments voice your opinion now!
mtrand seed cracker proofofconcept poc openwall

Link: http://www.openwall.com/lists/announce/2013/11/04/1

Pádraic Brady:
Predicting Random Numbers In PHP - It's Easier Than You Think!
March 26, 2013 @ 09:54:15

Pádraic Brady has a new post to his site about "randomness" in PHP and how, depending on the method used, you might not be as random as you think.

The Zend Framework team recently released versions 2.0.8 and 2.1.4 to address a number of potential security issues including advisory ZF2013-02 "Potential Information Disclosure and Insufficient Entropy vulnerabilities in ZendMathRand and ZendValidateCsrf Components". Quite the mouthful! In short, Zend Framework used the mt_rand() function to generate random numbers in situations where neither openssl_pseudo_random_bytes() nor mcrypt_create_iv() were available. This is possible when the openssl and mcrypt extensions are not installed/compiled with PHP.

He talks some about the mt_rand function and how it generates its "random numbers" (designed for speed, not ultimate randomness). He notes that all of PHP's internal randomization functions use the concept of "seeds" to prime the random number/string generation. Unfortunately, the seeding method is known inside PHP, so it is possible - if the method of generation is weak, as it is with mt_rand - that an attacker could brtute force their way into a correct value. You can find more about randomness in PHP in this chapter of his PHP security handbook including a mention of Anthony Ferrara's randomness library.

0 comments voice your opinion now!
randomness seed mtrand openssl mcrypt randomlib



Community Events





Don't see your event here?
Let us know!


language podcast install wordpress api interview laravel application release code library threedevsandamaybe bugfix series developer unittest list introduction configure community

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework