Suhosin 0.9.26 - Improved Randomness
August 22nd, 2008 | by Stefan Esser |
I just released Suhosin 0.9.26 which among bugfixes contains new features. The full changelog is
- Fixed problem with suhosin.perdir
Thanks to Hosteurope for tracking this down - Fixed problems with ext/uploadprogress
Reported by: Christian Stocker - Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
- Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
- Added better internal seeding of rand() and mt_rand()
The last three items in the changelog mean that the randomness of PHP’s rand() and mt_rand() functions have been greatly improved over vanilla PHP. This means when the Suhosin extension is installed on a server all the attacks described in my previous blogpost about PHP’s random number generators are no longer possible. This adds another generic protection to kill a whole class of bugs at once.
As usual you can grab your copy at
36 Responses to “Suhosin 0.9.26 - Improved Randomness”
By Jason Frisvold on Aug 22, 2008 | Reply
Stefan,
Just to clarify here.. The two config options disable the PHP versions of rand and mt_rand?
Thanks!
By Stefan Esser on Aug 22, 2008 | Reply
No. rand() and mt_rand() are replaced with own versions that are better seeded always.
The two config options
suhosin.srand.ignore
suhosin.mt_srand.ignore
do what their name says: When set calls to srand() and mt_srand() are ignored. This means applications cannot seed the random number generators anymore. Therefore always the better seeding is used.
By paul gao on Aug 23, 2008 | Reply
make failed…
ext/suhosin/execute.o: In function `ih_mt_rand’:
execute.c:(.text+0×110e): undefined reference to `php_mt_reload’
ext/suhosin/execute.o: In function `ih_rand’:
execute.c:(.text+0×3441): undefined reference to `php_mt_reload’
collect2: ld returned 1 exit status
make: *** [sapi/cli/php] Error 1
make: *** Waiting for unfinished jobs….
ext/suhosin/execute.o: In function `ih_mt_rand’:
execute.c:(.text+0×110e): undefined reference to `php_mt_reload’
ext/suhosin/execute.o: In function `ih_rand’:
execute.c:(.text+0×3441): undefined reference to `php_mt_reload’
collect2: ld returned 1 exit status
make: *** [sapi/cgi/php-cgi] Error 1
By Stefan Esser on Aug 23, 2008 | Reply
@paul gao:
Thank you for reporting this. Obviously my protection against that kind of fault does not work on Mac OS X. The lazy loading has hidden this typo.
I therefore released Suhosin 0.9.27 today.
By Seth on Sep 9, 2008 | Reply
Have you read “Silence on the Wire”? It has a section about the randomness of random number generators, with very interesting visual graphs to represent how random they are (or are not, usually).
Before reading SOtW, I frequently wondered about PHP’s random number generator, and after reading it, well, I began to worry!
So Suhosin makes me sleep a little easier at night.
By Sukabumi on Sep 12, 2008 | Reply
Would you help how to install Suhosin 0.9.26.
I’m newby.
Thanks
By Jonathan on Sep 15, 2008 | Reply
I don’t get it. Why disable srand?
This totally screwed up a validation method I used.
The idea was generate a random number (r) client-side, and then post that number to generate an image with a 5 digit number. The user then had to type the same 5-digit number which was passed back to the server along with r for validation.
By using r as the seed when generating and again when checking should allow for safe validation.
Unfortunately my host unbeknownst to me upgraded and suddenly i could no longer produce a consistent value.
By Stefan Esser on Sep 15, 2008 | Reply
srand() was disabled because the use of srand() endagers other PHP applications on the same server.
Aside from that your verification method does not make sense. What does stop an attacker to always enter the same value for r to always break the same captcha?
By ghprod on Sep 28, 2008 | Reply
Hi i know this place from wordpress.org …
It’s said it can cover bug in 2.6.1
Thnx
By Andreas Mauf on Jan 2, 2009 | Reply
Even when setting “suhosin.srand.ignore” to “Off” and seeding with the same integer, I don’t get the same random sequence anymore as in suhosin version 0.9.23. Was this intended? I need the same random order in some cases for shuffling data.
By Chad on Dec 30, 2009 | Reply
Crap, so now we have to implement a custom random number generator just to accomplish this?
srand($userid);
shuffle($array);
You know, as long as you are gutting PHP, perhaps consider disabling “echo”, “print”, “while” and “foreach”. They are certainly used more often in exploits.