Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in ampache/ampache

Valid

Reported on

Jul 16th 2021


✍️ Description

According to PHP official documents [1] we have for mt_rand() function an security issue that says "This function does not generate cryptographically secure values, and should not be used for cryptographic purposes" and as we see in permalinks you use the mt_rand() function for generate session and API keys, the attacker can take over your user accounts

Also for more information about use secure random functions you can read following document: https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html and also there is no matter that you use md5 and uniqid functions, because the source of this functions can be same and the atrophy of session and API keys will be weak and unsecure.

💥 Impact

This vulnerability is capable of take control of user's accounts.

Fix

use random_bytes [2] instead of mt_rand

[1] https://www.php.net/manual/en/function.mt-rand.php

[2] https://www.php.net/manual/en/function.random-bytes.php

amammad modified their report
2 months ago
amammad modified their report
2 months ago
Ziding Zhang
2 months ago

Admin


Hey amammad, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the ampache team and are waiting to hear back 2 months ago
ampache/ampache maintainer
2 months ago

Maintainer


Hi, I'll patch this on Monday when I get back to work

ampache/ampache maintainer validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
lachlan submitted a
2 months ago
ampache/ampache maintainer
2 months ago

Maintainer


@amammad are you happy with me just replacing the function with random_bytes (from this patch) generated

amammad
2 months ago

Researcher


Dear @lachlan, its Ok in my opinion.

Thanks for Fix it quickly.

ampache/ampache maintainer confirmed that a fix has been merged on 450a9a 2 months ago
lachlan has been awarded the fix bounty