Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in star7th/showdoc


Reported on

Nov 18th 2021


Logged in by LDAP will lead to a weak-password initialization,

                if ($ldap_user == $username) {
                    $userInfo = D("User")->isExist($username) ; 
                        D("User")->register($ldap_user,$ldap_user.time()); //【register with a weak password, such as :  tom/tom1637248826】
                    $rs2=ldap_bind($ldap_conn, $dn , $password);//【when the LDAP password is WRONG,no password change will be implemented】
                    if ($rs2) {//如果该用户不在数据库里,则帮助其注册
                       D("User")->updatePwd($userInfo['uid'], $password);
                       return $this->checkLogin($username,$password);

Proof of Concept

1)If there is a valid LDAP user , let's say named tom, once he activated his account( such as logged with a WRONG password: such tom/123456)

2)Then, a record will be add to the Database ( by D("User ")->register($ldap_user,$ldap_user.time());), with a password like tom1637248826, but the change of password D("User")->updatePwd($ won't work

3)Because we all know that the password is like tom.time(), and time() is one kind of pseudo-random number, we could easily use brute force tool (such as Burp Intruder) to got it.

4)Thus in this situation,an attacker could brute force the password of tom's, until getting the password of tom1637248826

 if ($rs2) {//如果该用户不在数据库里,则帮助其注册
                       D("User")->updatePwd($userInfo['uid'], $password);
                       return $this->checkLogin($username,$password);


This vulnerability is capable of: compromise a user by brute force his/her password in certain situation(log with a valid LDAP username but WRONG password)

We are processing your report and will contact the star7th/showdoc team within 24 hours. 2 years ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back 2 years ago
star7th validated this vulnerability 2 years ago
hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in 2.9.13 with commit a9886f 2 years ago
star7th has been awarded the fix bounty
Jamie Slome
2 years ago

CVE published! 🎊

to join this conversation