Re: The OAuth2 Complete plugin for WordPress uses a pseudorandom number generator which is non-cryptographically secure (WordPress plugin)

Posted by Scott Arciszewski on Aug 12

Hi Tom, FD readers,

The bug you are referring to was fixed in PHP 5.3.7; this can be
solved by checking the PHP version and/or by not supporting older and
insecure versions of PHP.

See random_compat for how this should be done:

https://github.com/paragonie/random_compat/blob/master/lib/random.php#L53

Let’s quantify these numbers:

* mt_rand()
* Predictable, only up to 31 bits of entropy in the possible seed values
*…

Leave a Reply