Suhosin 0.9.26 - Improved Randomness

August 22nd, 2008 | by Stefan Esser |

I just released Suhosin 0.9.26 which among bugfixes contains new features. The full changelog is

  • Fixed problem with suhosin.perdir
    Thanks to Hosteurope for tracking this down
  • Fixed problems with ext/uploadprogress
    Reported by: Christian Stocker
  • Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
  • Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
  • Added better internal seeding of rand() and mt_rand()

The last three items in the changelog mean that the randomness of PHP’s rand() and mt_rand() functions have been greatly improved over vanilla PHP. This means when the Suhosin extension is installed on a server all the attacks described in my previous blogpost about PHP’s random number generators are no longer possible. This adds another generic protection to kill a whole class of bugs at once.

As usual you can grab your copy at

http://www.suhosin.org/

  1. 36 Responses to “Suhosin 0.9.26 - Improved Randomness”

  2. By Jason Frisvold on Aug 22, 2008 | Reply

    Stefan,

    Just to clarify here.. The two config options disable the PHP versions of rand and mt_rand?

    Thanks!

  3. By Stefan Esser on Aug 22, 2008 | Reply

    No. rand() and mt_rand() are replaced with own versions that are better seeded always.

    The two config options

    suhosin.srand.ignore
    suhosin.mt_srand.ignore

    do what their name says: When set calls to srand() and mt_srand() are ignored. This means applications cannot seed the random number generators anymore. Therefore always the better seeding is used.

  4. By paul gao on Aug 23, 2008 | Reply

    make failed…
    ext/suhosin/execute.o: In function `ih_mt_rand’:
    execute.c:(.text+0×110e): undefined reference to `php_mt_reload’
    ext/suhosin/execute.o: In function `ih_rand’:
    execute.c:(.text+0×3441): undefined reference to `php_mt_reload’
    collect2: ld returned 1 exit status
    make: *** [sapi/cli/php] Error 1
    make: *** Waiting for unfinished jobs….
    ext/suhosin/execute.o: In function `ih_mt_rand’:
    execute.c:(.text+0×110e): undefined reference to `php_mt_reload’
    ext/suhosin/execute.o: In function `ih_rand’:
    execute.c:(.text+0×3441): undefined reference to `php_mt_reload’
    collect2: ld returned 1 exit status
    make: *** [sapi/cgi/php-cgi] Error 1

    :(

  5. By Stefan Esser on Aug 23, 2008 | Reply

    @paul gao:

    Thank you for reporting this. Obviously my protection against that kind of fault does not work on Mac OS X. The lazy loading has hidden this typo.

    I therefore released Suhosin 0.9.27 today.

  6. By Seth on Sep 9, 2008 | Reply

    Have you read “Silence on the Wire”? It has a section about the randomness of random number generators, with very interesting visual graphs to represent how random they are (or are not, usually).

    Before reading SOtW, I frequently wondered about PHP’s random number generator, and after reading it, well, I began to worry!

    So Suhosin makes me sleep a little easier at night.

  7. By Sukabumi on Sep 12, 2008 | Reply

    Would you help how to install Suhosin 0.9.26.
    I’m newby.

    Thanks

  8. By Jonathan on Sep 15, 2008 | Reply

    I don’t get it. Why disable srand?

    This totally screwed up a validation method I used.

    The idea was generate a random number (r) client-side, and then post that number to generate an image with a 5 digit number. The user then had to type the same 5-digit number which was passed back to the server along with r for validation.

    By using r as the seed when generating and again when checking should allow for safe validation.

    Unfortunately my host unbeknownst to me upgraded and suddenly i could no longer produce a consistent value.

  9. By Stefan Esser on Sep 15, 2008 | Reply

    srand() was disabled because the use of srand() endagers other PHP applications on the same server.

    Aside from that your verification method does not make sense. What does stop an attacker to always enter the same value for r to always break the same captcha?

  10. By ghprod on Sep 28, 2008 | Reply

    Hi i know this place from wordpress.org …

    It’s said it can cover bug in 2.6.1 :D

    Thnx

  11. By Andreas Mauf on Jan 2, 2009 | Reply

    Even when setting “suhosin.srand.ignore” to “Off” and seeding with the same integer, I don’t get the same random sequence anymore as in suhosin version 0.9.23. Was this intended? I need the same random order in some cases for shuffling data.

  12. By Chad on Dec 30, 2009 | Reply

    Crap, so now we have to implement a custom random number generator just to accomplish this?

    srand($userid);
    shuffle($array);

    You know, as long as you are gutting PHP, perhaps consider disabling “echo”, “print”, “while” and “foreach”. They are certainly used more often in exploits.

  1. 25 Trackback(s)

  2. Aug 23, 2008: Dotdeb » Blog Archive » PHP 4.4.9 available
  3. Sep 9, 2008: Wordpress 2.6.2 ist raus | iNet Newz Blog
  4. Sep 9, 2008: Mandatory Update: WordPress 2.6.2 | Blog Tipz
  5. Sep 9, 2008: Wordpress 2.6.2 e PHP em risco! | bernabauer.com
  6. Sep 9, 2008: WordPress 2.6.2 Release » Najib'Palace
  7. Sep 9, 2008: WordPress 2.6.2 发布了,有一个重要安全更新. released | JackyMao
  8. Sep 9, 2008: MinhMoc’s Blog » Blog Archive » WordPress 2.6.2
  9. Sep 9, 2008: WordPress 2.6.2 upgrade | Ronakorn: My Speech: Thai SEO, SEM, SMM Service.
  10. Sep 9, 2008: WordPress 2.6.2 Now Available
  11. Sep 9, 2008: WP 2.6.2 upgrade at pappito.com
  12. Sep 9, 2008: Wordpress 2.6.2 | Jo0Lz.nl ♥ Home of the Evil Genius!
  13. Sep 9, 2008: WordPress: 2.6.2 (Sicherheitsrelevant) » Plugin, Update, WordPress » splash ;)
  14. Sep 9, 2008: Wordpress 2.6.2 released - Zoelqivlie | 19Fdesign.com | Run and Survival
  15. Sep 9, 2008: Wordpress 2.6.2 ist erschienen - Kritisches Update im Leben des wolf-u.li
  16. Sep 9, 2008: WordPress 2.6.2 Security Release | Tree Rat Fishing
  17. Sep 9, 2008: WordPress 2.6.2
  18. Sep 9, 2008: WordPress 2.6.2 | MUIOMUIO.NET
  19. Sep 9, 2008: WordPress 2.6.2 Disponible | Goldscripts
  20. Sep 12, 2008: 2 Problemas graves que se solucionan en WordPress 2.6.2 | La Comunidad DragonJAR
  21. Sep 13, 2008: LucaMellano.com » Aggiornamento Wordpress 2.6.2
  22. Sep 21, 2008: Il Blog di L&L Comunicazione » Blog Archive » Aggiornamento Wordpress 2.6.2
  23. Sep 25, 2008: WordPress 2.6.2 Upgrade!! | The Frosty
  24. Oct 5, 2008: Tasnik Blog » WordPress 2.6.2
  25. Oct 12, 2008: WordPress 2.6.2 | PATRON DIGITAL.COM
  26. Oct 19, 2008: Technology News » Blog Archive » WordPress 2.6.2 is now available

Post a Comment