Insecure Random number generation

[vjaykoogu]

Description

We found vlunerability in PEN test results.

Environment

• ADOdb version: 5.22.7
• Driver or Module: ADOdb
• PHP version: 8.1
• Platform: Linux

Error found in below files and Method to Change.

• In above Screenshot we see filename and methos to change.

Fix

Using Below solution:
To generate secure random numbers in PHP, I'll be using random_int() function or the random_bytes() function, which are specifically designed for cryptographic purposes and provide a higher level of randomness.

To generate a random number within a specified range:
$randomNumber = random_int($min, $max);

To generate random bytes for cryptographic purposes.
$randomBytes = random_bytes($length);

[dregad]

Thanks for your report. Please note

• adodb-time.inc.php was deprecated in 5.22.6 and removed in 5.23.0, see Remove obsolete Date/Time library #970
• not all usage of rand() actually requires a CSPRNG... your list contains mostly false positives

At first glance, only usages around ADOdb sessions (crypt.inc.php, adodb-session*.php are potentially problematic.

This code is very old and shows its age... An in-depth refactoring would be needed, replacing rand() by random_int() would only scratch the surface and be kind of pointless, considering we have code performing md5 / sha1 "encryption", or relying on mcrypt (removed in PHP 7.2).