CVE-2006-0632

Name	CVE-2006-0632
Description	The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, which makes it easier for remote attackers to obtain the key and modify passwords for existing accounts or create new accounts.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
phpbb2	source	(unstable)	2.0.20	low

Notes

[sarge] - phpbb2 <no-dsa> (Minor issue)
According to maintainers phpbb2 doesn't have useful countermeasures against
brute-force password guessing and as password seeding is based on milliseconds
NTP-timed attacks may even be in the area of a couple thousands attempts
instead of a million
Fixed in 2.0.20