Insecure Random Number Generation in MyBB (MyBulletinBoard) Allows for Brute-Force Account Takeover

Insecure Random Number Generation in MyBB (MyBulletinBoard) Allows for Brute-Force Account Takeover

CVE-2010-4626 · MEDIUM Severity

AV:N/AC:H/AU:N/C:P/I:P/A:P

The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then conducting a brute-force attack.

Learn more about our Web Application Penetration Testing UK.