CVE-2010-5079 Information
Description
SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entropy when generating tokens for (1) the CSRF protection mechanism (2) autologin (3) \forgot password\ functionality and (4) password salts which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors.
Reference
http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/changeset/114497 http://open.silverstripe.org/changeset/114498 http://open.silverstripe.org/changeset/114503 http://open.silverstripe.org/changeset/114504 http://open.silverstripe.org/changeset/114505 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3
Share on: