Insecure Randomness for encryption keys – (miniOrange <= 5.5.82)

Affected pluginminiOrange
Active installs20,000+
Vulnerable version<= 5.5.82
Audited version5.5.82
Fully patched version
Recommended remediationRemoval of the plugin


The plugin uses a non-randomly-generated, eight-character string as OpenSSL encryption keys.

Proof of concept

The plugin uses OpenSSL to encrypt users’ TOTP secret keys in the database.

function mo_GAuth_set_secret($user_id,$secret){
  global $Mo2fdbQueries;
  update_user_meta( $user_id, 'mo2f_get_auth_rnd_string', $key);

  // EDITOR: $key is ultimately passed into openssl_encrpyt. 
  update_user_meta( $user_id, 'mo2f_gauth_key', $secret);

The implementation of “random_str” uses PHP’s “rand” function, which is unacceptable in any cryptographic context.

function random_str($length, $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ')
    $randomString = '';
    $charactersLength = strlen($keyspace);
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $keyspace[rand(0, $charactersLength - 1)];
    return $randomString;


This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using random_int(), random_bytes(), or openssl_random_pseudo_bytes() instead.

Proposed patch

Use PHP’s random_int() function instead of rand to generate a “truly” random integer.


Vendor contactedSeptember 12, 2022
First ResponseSeptember 16, 2022
Fully patched at
Publicly disclosedApril 24, 2023


Leave a Reply

Your email address will not be published. Required fields are marked *