Joomla! Issue Tracker | Joomla! CMS #8710 - [3.4] Session Tokens (for spam prevention? looks like CSRF) are Predictable

Closed
8 Jan 2016
Medium
Build: master
# 8710

paragonie-scott
16 Dec 2015

https://github.com/joomla/joomla-cms/blob/952f2a6e68d300cfa5b041b50c0def56fb769fc4/libraries/joomla/session/session.php#L758-L780

How to securely generate random ints and strings in PHP

Don't use rand().

paragonie-scott - open - 16 Dec 2015

paragonie-scott - change - 16 Dec 2015

Title

…

[3.4] Session ~~IDs~~ are Predictable

[3.4] Session Tokens (for spam prevention? looks like CSRF) are Predictable

mbabker - reference | d3e5d75 - 16 Dec 15

mbabker - comment - 16 Dec 2015

See #8714

Unless there are characters in JUserHelper::genRandomPassword() that for whatever reason couldn't validate as a CSRF token that occasionally is included as part of a URL, just using that (which uses random_bytes()) is good enough.

paragonie-scott - comment - 1 Jan 2016

Yeah, I think genRandomPassword() is the way to go here.

brianteeman - close - 8 Jan 2016

mbabker - change - 8 Jan 2016

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2016-01-08 09:46:54
Closed_By		⇒	mbabker

mbabker - close - 8 Jan 2016

brianteeman - change - 8 Mar 2016

Labels

Added: ?

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#8710] - [3.4] Session Tokens (for spam prevention? looks like CSRF) are Predictable

Add a Comment