The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then conducting a brute-force attack.
MyBB versions prior to 1.4.12 are vulnerable to a critical account takeover vulnerability. The flawed implementation of the my_rand function allows attackers to predict the random numbers used for password reset tokens, enabling brute-force attacks and complete compromise of user accounts. This vulnerability poses a significant risk to the confidentiality and integrity of user data and the platform itself.
Step 1: Account Reset Request: An attacker initiates a password reset request for a target user account.
Step 2: Token Generation: The MyBB system generates a password reset token using the flawed my_rand function.
Step 3: Token Prediction: The attacker analyzes the my_rand function's implementation to understand how the random numbers are generated and attempts to predict the generated token. This is possible because of the lack of proper seeding.
Step 4: Token Brute-Force: The attacker uses a brute-force approach, generating a series of potential tokens based on the predicted pattern.
Step 5: Password Reset: The attacker uses the predicted token to reset the target user's password.
Step 6: Account Takeover: The attacker logs in to the target user's account using the newly reset password, achieving complete account compromise.
The vulnerability stems from the improper use of the PHP mt_rand function within the my_rand function in functions.php. The mt_rand function, while providing a pseudo-random number generator, can be predictable if not properly seeded. The my_rand function in MyBB versions before 1.4.12 failed to adequately seed the random number generator, making the output of mt_rand predictable. This predictability allows attackers to guess the password reset tokens, which are used to authenticate password reset requests. The attacker can then use these predicted tokens to reset the password of any user account and gain unauthorized access. The core issue is a cryptographic weakness due to a flawed implementation of a random number generator, leading to a predictable sequence of numbers.