concrete5: Weak random number generator used in concrete/authentication/concrete/controller.php

2014-10-12T19:12:16
ID H1:31171
Type hackerone
Reporter voodookobra
Modified 2014-10-26T01:43:24

Description

```php

private function genString($a = 20)
{
    $o = '';
    $chars = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+{}|":<>?\'\\';
    $l = strlen($chars);
    while ($a--) {
        $o .= substr($chars, rand(0, $l), 1);
    }
    return md5($o);
}

```

Using substr(rand()) then running md5() on the output would be better replaced by using bin2hex() and either openssl_random_pseudo_bytes($a) or mcrypt_create_iv($a, MCRYPT_DEV_URANDOM)

For example:

php private function genString($a = 20) { if (function_exists('mcrypt_create_iv')) { return bin2hex(mcrypt_create_iv($a, MCRYPT_DEV_URANDOM); } return bin2hex(openssl_random_pseudo_bytes($a)); }