CVE-2008-4107

Publication date 18 September 2008

Last updated 24 July 2024

The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	8.10 intrepid	Ignored end of life, was needs-triage
	8.04 LTS hardy	Ignored end of life, was needs-triage
	7.10 gutsy	Ignored end of life, was needs-triage
	7.04 feisty	Ignored end of life, was needs-triage
	6.06 LTS dapper	Ignored end of life, was needs-triage

Notes

mdeslaur

as of 2009-04-10, unfixed in debian with following comment: the rand() and mt_rand() functions were never said to be cryptographically strong AFAICT, unfixed upstream also more information here: http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ Let's ignore this also.

References

Other references

https://www.cve.org/CVERecord?id=CVE-2008-4107