GHSA-848f-mph5-9pm9: 
PHP vulnerability analysis and mitigation

In Zend Framework, a security vulnerability was identified affecting both ZendCaptchaWord (v1) and Zend\Captcha\Word (v2) components. The vulnerability, tracked as GHSA-848f-mph5-9pm9, was disclosed on November 23, 2015. The issue affects versions 1.12.0 through 1.12.17 of the Zend Framework. The vulnerability stems from the CAPTCHA word generation mechanism, which uses PHP's array_rand() function for selecting random letters from a character set (Zend Advisory).

The vulnerability is classified with a High severity rating of 7.5 CVSS score. The technical root cause lies in the usage of PHP's arrayrand() function, which internally relies on the rand() function instead of more cryptographically secure methods like opensslpseudorandombytes(). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network vector attack capability with low complexity and no required privileges or user interaction (GitHub Advisory).

The vulnerability could potentially lead to information disclosure if an attacker successfully brute forces the random number generation. The impact is primarily focused on confidentiality, with no direct effect on integrity or availability of the system (GitHub Advisory).

The vulnerability has been patched in multiple versions. For Zend Framework 1.12.17, new methods randBytes() and randInteger() were added to ZendCryptMath, and ZendCaptchaAbstractWord was updated to use ZendCryptMath::randInteger() instead of array_rand(). For the package zendframework/zend-captcha 2.4.9/2.5.2 and Zend Framework 2.4.9, Zend\Captcha\AbstractWord was updated to use Zend\Math\Rand::getInteger(). Users are recommended to upgrade to version 1.12.17 or later (Zend Advisory).

The Zend Framework team acknowledged Vincent Herbulot for reporting the issue and Enrico Zimuel for providing the patches (Zend Advisory).