Insufficiently random values
Platform: ownCloud Server
Risk level: Low
The rand and mt_rand functions in PHP < 5.4.x do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in ownCloud 4.0.x.
- ownCloud Server < 4.0.8 (CVE-2008-4107)
It is recommended that all instances are upgraded to ownCloud Server 4.0.8.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Pascal Junod – HEIG-VD (University of Applied Sciences Western Switzerland) – Vulnerability discovery and disclosure.