Small Space of Random Values in francoisjacquet/rosariosis


Reported on

Apr 26th 2022


The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

Vulnerable code snippet

$password = $staff['USERNAME'] . rand( 1000, 9999 );


Attacker can guess password at maximum 9000 tries.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
a year ago


Hello @intrapus

Thank you very much for reporting the issue. Please note, administrators can enable "Ban after X failed login attempts" and "Change password on first login" options to mitigate brute force attacks. The user still has to type his generated password at least once. So I will raise 9999 to no more than 9999999999 in order to keep things reasonable.

François Jacquet validated this vulnerability a year ago
intrapus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 8.9.5 with commit 1e1c7f a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
NotifyParents.php#L60 has been validated
to join this conversation