DescriptionThe gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, which makes it easier for remote attackers to obtain the key and modify passwords for existing accounts or create new accounts.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[sarge] - phpbb2 <no-dsa> (Minor issue)
According to maintainers phpbb2 doesn't have useful countermeasures against
brute-force password guessing and as password seeding is based on milliseconds
NTP-timed attacks may even be in the area of a couple thousands attempts
instead of a million
Fixed in 2.0.20

Search for package or bug name: Reporting problems