Security

Security Advisory: ZF2015-09

ZF2015-09: Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word

In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Action Taken

The code used to randomly select letters was updated as follows:

  • In Zend Framework 1.12.17, the methods randBytes() and randInteger() were added to Zend_Crypt_Math. Zend_Captcha_AbstractWord was updated to use Zend_Crypt_Math::randInteger() instead of array_rand() when selecting letters for the CAPTCHA word.
  • In the package zendframework/zend-captcha 2.4.9/2.5.2 and Zend Framework 2.4.9, Zend\Captcha\AbstractWord was updated to use Zend\Math\Rand::getInteger() instead of array_rand() when selecting letters for the CAPTCHA word.

The following releases contain the fixes:

  • Zend Framework 1.12.17
  • Zend Framework 2.4.9
  • zend-captcha 2.4.9
  • zend-captcha 2.5.2

Recommendations

This patch is considered a security hardening patch, and as such, was not assigned a CVE identifier.

Regardless, if you use one of the word-based CAPTCHA adapters in Zend Framework 1 or 2, we recommend upgrading to 1.12.17, 2.4.9, or zend-captcha 2.4.9/2.5.2.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2015-11-23

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts