PHP :: Doc Bug #64386 :: No warning on insecure pseudo-random generators

No warning on insecure pseudo-random generators

Submitted:

2013-03-08 10:48 UTC

Modified:

2016-06-14 14:52 UTC

Votes:	105
Avg. Score:	2.1 ± 1.0
Reproduced:	1 of 12 (8.3%)
Same Version:	25769803765 (2576980376500.0%)
Same OS:	30064771059 (3006477105900.0%)

From:

pawel dot krawczyk at hush dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

Documentation problem

PHP Version:

Irrelevant

OS:

any

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	pawel dot krawczyk at hush dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-03-08 10:48 UTC] pawel dot krawczyk at hush dot com

Description:
------------
---
From manual page: http://www.php.net/function.mt-srand
---
The PHP documentations of pseudorandom related functions is missing warning, 
that these functions should not be used for security purposes - generating 
session ids, passwords, password resets etc.

The affected functions are mt_rand(), rand(), uniqid(), shuffle(), lcg_value()

Documentation should recommend openssl_random_pseudo_bytes() for these purposes.

Weakness of these functions is pretty well documented here:

http://blog.ptsecurity.com/2012/08/not-so-random-numbers-take-two.html

And there are working exploits:

http://blog.ptsecurity.com/2012/11/workshop-random-numbers-take-two-at.html

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-03-08 10:50 UTC] johannes@php.net

-Type: Security +Type: Documentation Problem

[2016-06-14 14:52 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339348
Log: Fix #64386: No warning on insecure pseudo-random generators

[2016-06-14 14:52 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2016-06-14 14:52 UTC] cmb@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

[2020-02-07 06:07 UTC] phpdocbot@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=fb0122dd8b1bf1516421ee3b119ed77aeef7a0a7
Log: Fix #64386: No warning on insecure pseudo-random generators

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Apr 28 18:01:30 2025 UTC