Easily exploitable Pseudo Random Number generator in phpbb version 2.0.19 and under.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Easily exploitable Pseudo Random Number generator in phpbb version 2.0.19 and under.
From: chinchilla@xxxxxxxxx
Date: 5 Feb 2006 08:49:25 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I. DESCRIPTION

Easily exploitable Pseudo Random Number generator in phpbb version 2.0.19 and 
under.


II. DETAILS

Due to poor design the gen_rand_string() can only generate upto 1 million 
hashes or random strings. This allow an attacker to reset any account through 
the lost password request form by "predicting" the validation id and the new 
password for the account. Worst case scenario (for the attacker) is that he 
will have to send 1 million requests to reset the password and 1 million 
requests to get the new password.


For more info visit 
http://www.r-security.net/tutorials/view/readtutorial.php?id=4

Prev by Date: ProtoVer LDAP vs CommuniGate Pro 5.0.7
Next by Date: [ GLSA 200602-01 ] GStreamer FFmpeg plugin: Heap-based buffer overflow
Previous by thread: ProtoVer LDAP vs CommuniGate Pro 5.0.7
Next by thread: [ GLSA 200602-01 ] GStreamer FFmpeg plugin: Heap-based buffer overflow
Index(es):
- Date
- Thread