phpwn: PHP cookie PRNG flawed (Netscape redux)
Chris Palmer
chris at noncombatant.org
Thu Aug 5 13:33:17 EDT 2010
travis+ml-cryptography at subspacefield.org writes:
> https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf
He doesn't mention the php.ini variables session.entropy_length and
session.entropy_file. Last I checked, their default settings were unsafe,
but setting them to 16 and /dev/urandom should solve the problem he
describes in the paper.
Unless not.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list