CVE-2010-1128
published 2010-03-26CVE-2010-1128: The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to…
PriorityP338medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
7.94%
94.0th percentile
The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.2.12 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vendor_redhat6.4MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59wc-4gch-hhw5: The Linear Congruential Generator (LCG) in PHP before 5
ghsa_unreviewed·2022-05-02
CVE-2010-1128 [MEDIUM] GHSA-59wc-4gch-hhw5: The Linear Congruential Generator (LCG) in PHP before 5
The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2010-09-20·CVSS 5.0
CVE-2010-0397 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Auke van Slooten discovered that PHP incorrectly handled certain xmlrpc
requests. An attacker could exploit this issue to cause the PHP server to
crash, resulting in a denial of service. This issue only affected Ubuntu
6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-0397)
It was discovered that the pseudorandom number generator in PHP did not
provide the expected entropy. An attacker could exploit this issue to
predict values that were intended to be random, such as session cookies.
This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10.
(CVE-2010-1128)
It was discovered that PHP did not properly handle directory pathnames that
lacked a trailing slash character. An attacker could exploit this issue to
bypass safe_mode restrictions. This issue only affe
Red Hat
php: LCG entropy weakness
vendor_redhat·2010-02-25·CVSS 6.4
CVE-2010-1128 [MEDIUM] php: LCG entropy weakness
php: LCG entropy weakness
The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function.
Statement: This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed.
For further information about the Errata Support Policy, visit:
http://www.redhat.com/security/updates/errata
No detection rules found.
http://secunia.com/advisories/38708http://secunia.com/advisories/42410http://www.php.net/ChangeLog-5.phphttp://www.php.net/releases/5_2_13.phphttp://www.redhat.com/support/errata/RHSA-2010-0919.htmlhttp://www.securityfocus.com/bid/38430http://www.vupen.com/english/advisories/2010/0479http://www.vupen.com/english/advisories/2010/3081http://secunia.com/advisories/38708http://secunia.com/advisories/42410http://www.php.net/ChangeLog-5.phphttp://www.php.net/releases/5_2_13.phphttp://www.redhat.com/support/errata/RHSA-2010-0919.htmlhttp://www.securityfocus.com/bid/38430http://www.vupen.com/english/advisories/2010/0479http://www.vupen.com/english/advisories/2010/3081
2010-03-26
Published