On Wed, September 24, 2008 23:41, Stefan Fritsch wrote: > the following CVE (Common Vulnerabilities & Exposures) id was published for > phpbb2. > > CVE-2008-4125[0]: > | The search function in phpBB 2.x provides a search_id value that > | leaks the state of PHP's PRNG, which allows remote attackers to > | obtain potentially sensitive information, as demonstrated by a > | cross-application attack against WordPress, a different > | vulnerability than CVE-2006-0632.
Thanks for the report. I haven't seen an upstream patch yet. I think replacing it by something like uniqid() would do the trick for us here, and remove the explicit seeding that is not required since PHP 4.2 as Stefan E explains. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
