GMS-2015-49: Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word

November 23, 2015

Zend generates a “word” for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP’s internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

References

framework.zend.com/security/advisory/ZF2015-09

Code Behaviors & Features

Detect and mitigate GMS-2015-49 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →