✍️ Description

The random number generator implemented by mt_rand() cannot withstand a cryptographic attack. Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context.

In this case the function that generates weak random numbers is mt_rand() in /psm/Service/User.php at line 394.

This code uses the rand() function to generate "unique" identifiers for the receipt pages it generates. Because rand() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.

🕵️‍♂️ Proof of Concept

**POC.php**

#!/usr/bin/env php
<?php

if($argc < 3)
{
    print($argv[0] . ' <seed> <n>' . "\n");
    print('' . "\n");
    print('Parameters:' . "\n");
    print('  seed:   Seed to initialize mt_rand() with' . "\n");
    print('  offset: Number of calls to mt_rand() before printing the first');
    print(' output' . "\n");
    print('' . "\n");
    print('Output:' . "\n");
    print('  <offset>\'s call to mt_rand() and <offset+227>\'s call');
    print(' to mt_rand()' . "\n");
    exit();
}

mt_srand($argv[1]);
for($i=0;$i<$argv[2];$i++)
    mt_rand();

print mt_rand() . " ";
for($i=0;$i<226;$i++)
    mt_rand();
print mt_rand() . "\n";

💥 Impact

By exploiting this vulnerability, an attacker will able to produce or guess the reset password hashes of any user.

🕵️‍♂️ Solution

When unpredictability is critical, as is the case with most security-sensitive uses of randomness, use a cryptographic PRNG. Regardless of the PRNG you choose, always use a value with sufficient entropy to seed the algorithm. (Values such as the current time offer only negligible entropy and should not be used.)