Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in ampache/ampache
Reported on
Jul 16th 2021
✍️ Description
According to PHP official documents [1] we have for mt_rand() function an security issue that says "This function does not generate cryptographically secure values, and should not be used for cryptographic purposes" and as we see in permalinks you use the mt_rand() function for generate session and API keys, the attacker can take over your user accounts
Also for more information about use secure random functions you can read following document: https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html and also there is no matter that you use md5 and uniqid functions, because the source of this functions can be same and the atrophy of session and API keys will be weak and unsecure.
💥 Impact
This vulnerability is capable of take control of user's accounts.
Fix
use random_bytes [2] instead of mt_rand
[1] https://www.php.net/manual/en/function.mt-rand.php
[2] https://www.php.net/manual/en/function.random-bytes.php
Hey amammad, I've just emailed the maintainer and am waiting to hear back. Good job!
Hi, I'll patch this on Monday when I get back to work
@amammad are you happy with me just replacing the function with random_bytes (from this patch) generated
Dear @lachlan, its Ok in my opinion.
Thanks for Fix it quickly.