Use of a Broken or Risky Cryptographic Algorithm in geshi/geshi.php about geshi-1.0 HOT 6 CLOSED

Where exactly is the security problem here?

from geshi-1.0.

maybe substr(0,4) from md5(randomstuff) is too predictible, doesn't this let us with something like 36^4 possibility "only"??? https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html
and i found http://php.net/manual/fr/function.microtime.php#101561

While doing some experiments on using microtime()'s output for an entropy generator I found that its microsecond value was always quantified to the nearest hundreds (i.e. the number ends with 00), which affected the randomness of the entropy generator.

from geshi-1.0.

And where exactly is a random HTML id attribute a security problem?

from geshi-1.0.

md5(microtime()) This function uses the !php_standard_ns.md5() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5.

from geshi-1.0.

• you provided evidence that a not-so-secure ID attribute is a security risk
• you understand the problem

from geshi-1.0.

The provided algorithm is for generating a set of random IDs in case where the user does not provide a custom one, but where still the code needs to generate some (somewhat) unique ID. As the ID is truncated to be short even using something "more secure" like SHA-256 or Keccak won't solve the problem of collissions. The only solution really fixing the issue would be for the user of the library to provide GeSHi with a guaranteed-random base ID. In absence of a guaranteed-unique value provided by the caller, reasonably trying to generate something random is sufficient (and NOT a security issue); i.e. the worst that can happen is the UA rendering the returned string switching to Quirks Mode due to duplicated generated IDs in the document.

from geshi-1.0.