Vigil@nce - Zend Framework: low entropy
April 2016 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can potentially predict randoms used by Zend
Framework, in order to bypass security features.
Impacted products: Zend Framework.
Severity: 1/4.
Creation date: 14/04/2016.
DESCRIPTION OF THE VULNERABILITY
The Zend Framework product uses a random generator in the
following methods:
- Zend_Ldap_Attribute::createPassword
- Zend_Form_Element_Hash::_generateHash
- Zend_Gdata_HttpClient::filterHttpRequest
- Zend_Filter_Encrypt_Mcrypt::_srand
- Zend_OpenId::randomBytes
However, these methods use rand() or mt_rand(), which are not
cryptographically secure.
An attacker can therefore potentially predict randoms used by Zend
Framework, in order to bypass security features.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Zend-Framework-low-entropy-19383