Ambiguous optinhash values
Random numbers generated by simpleRandString() are, at a significant rate, not unique!
In a recent project this led to dozens of users who were not able to finish their registration to the online portal because the optinhash value did not match the associated uid because the optinhash value had been issued and used before in the course of another registration process.
The optinhash (which is actually a random number and does not depend on underlying data) is generated by simpleRandString() routine. In each call, it seeds the (pseudo) random generator:
mt_srand ((double) microtime () * 1000000);
In our environment (PHP 5.3.5), this results in at max 1000 different double values as a seed. As random numbers generated afterwards using mt_rand() are pseudo-random, coincidences at a significant rate are likely.
"As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically."
Removing the complete seeding line (stated above) should solve this issue.
#1 Updated by Jonas Felix about 5 years ago
- Assignee set to Alex Kellner
- % Done changed from 0 to 90
Here is a fixed version of the extension:
Those are the related fixes:
Here is the matching security bulletin:
I'm not allowed to change the status, but that's fixed.