Use of Predictable Algorithm in Random Number Generator in beestat/app
Jun 26th 2021
The random number generator implemented by
mt_rand() on session keys is not suitable for cryptographic purposes (generation of tokens, passwords, or cryptographic keys) either.
mt_rand function that produces predictable values is utilized as a source of randomness in a security-sensitive environment, insecure randomness mistakes arise.
In this case, function generate_session_key() generated weak random numbers is mt_rand in /api/cora/session.php at line 252.
🕵️♂️ Proof of Concept
// POC.php https://github.com/ambionics/mt_rand-reverse/blob/master/display_mt_rand.php
This vulnerability is capable of letting the attacker guess the session key of any user.