php - serious bug with random numbers

Question

I finally could create a way to reproduce the bug that I am having. When 2 or more users call a page at the same second modsecurity generates the same sequence of random numbers (using rand() function from php) to both users.

Here is a demonstration of the bug:

http://quemfazsite.com.br/em_criacao/modelo9/teste.php

Opening this page, 2 iframes will load and each one should be generating random numbers independetly of each other but both frames are generating the same sequence of random numbers! The very simple source code can be seen below. If you dont see the same sequence I ask you to reload the page a few times till you get the same number sequence.

EDIT: this bug only happens with modsecurity active. If you comment the "LoadModule" line that loads the modsecurity the bug wont happen!

<?php

if (isset($_GET["test"])) {

        $output= "";

        for ($i=0;$i<10;$i++) {

                $output.= rand(0,99999999) . "<br />";

        }

        echo $output;

        exit();

}

?>
<iframe src="PUT_THE_SAME_NAME_OF_THIS_FILE_HERE.php?test&953487"></iframe>
<iframe src="PUT_THE_SAME_NAME_OF_THIS_FILE_HERE.php?test&234322"></iframe>

Answer 1

rand is not designed to produce random numbers. Its purpose is to produce pseudorandom numbers that are distributed uniformly between the given endpoints. If you make a histogram of the numbers you've generated, you'll see that they are indeed uniformly distributed.

The algorithm that generates these numbers is entirely deterministic. If you provide the same seed (usually based on the current time, as in your example) you'll get exactly the same sequence of numbers. This is a feature, not a bug: it allows you exploit the statistical properties of the distribution while being able to reproduce the results afterwards by reusing the seed.

If you need the random numbers to be unpredictable, you should be using a cryptographic RNG.

If you just want to robustly avoid clashes like this (caused by colliding time-derived seeds), then you'll have to check against some sort of cross-session storage to ensure uniqueness (e.g. a file or database). If your application requires that the numbers are always unique, then you should be doing this anyway.