Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-2107

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-2107
Last Modified 30 Oct 2012 10:56:50
Published 07 May 2008 05:20:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-2107

Summary

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed.

Vulnerable Systems

Application

  • Php 4.4.7

  • Php 5

  • Php 5.0.0

  • Php 5.0.1

  • Php 5.0.2

  • Php 5.0.3

  • Php 5.0.4

  • Php 5.0.5

  • Php 5.1.0

  • Php 5.1.1

  • Php 5.1.2

  • Php 5.1.3

  • Php 5.1.4

  • Php 5.1.5

  • Php 5.1.6

  • Php 5.2.0

  • Php 5.2.1

  • Php 5.2.2

  • Php 5.2.3

  • Php 5.2.4


References

FEDORA - FEDORA-2008-3606

FEDORA - FEDORA-2008-3864

XF - php-generateseed-weak-security(42226)

UBUNTU - USN-628-1

MISC - http://www.sektioneins.de/advisories/SE-2008-02.txt

BUGTRAQ - 20080506 Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability

REDHAT - RHSA-2008:0582

REDHAT - RHSA-2008:0546

REDHAT - RHSA-2008:0545

REDHAT - RHSA-2008:0544

REDHAT - RHSA-2008:0505

MANDRIVA - MDVSA-2008:130

MANDRIVA - MDVSA-2008:129

MANDRIVA - MDVSA-2008:128

MANDRIVA - MDVSA-2008:127

MANDRIVA - MDVSA-2008:126

MANDRIVA - MDVSA-2008:125

DEBIAN - DSA-1789

SREASON - 3859

SECUNIA - 35003

SECUNIA - 31200

SECUNIA - 31124

SECUNIA - 31119

SECUNIA - 30967

SECUNIA - 30828

SECUNIA - 30757

SUSE - SUSE-SR:2008:014

XF - php-generateseed-security-bypass(42284)

GENTOO - GLSA-200811-05

SECUNIA - 32746

Related Patches

Red Hat 2008:0544-06 RHSA Moderate: php security update for RHEL 5 x86


Last Updated: 27 May 2016 10:49:48