Fake Accounts on your site

Hi,

after looking for a while in various settings i found it...
right on top of the admin panel :D

Warhammerers Online Admin Panel - v7.00.05

I'll have a talk with the other admins.

Verification codes can be predicted/calculated.

\includes\classes\UserFieldInput.class.php lines 411-414 deal with generating email verification code on account registration:
[syntaxhighlighter brush=php,first-line=411,highlight=0,collapse=false,html-script=false]
mt_srand((double)microtime()*1000000); $salt = "";
for ($i = 0; $i <= 10; $i++) { $salt .= chr(rand(97, 122)); }
$user_code = md5($this->_userEmail.$salt);
$email_verify_link = $settings['siteurl']."edit_profile.php?code=".$user_code;[/syntaxhighlighter]Function rand() (line 412) is used to randomly return an int; this function however, produces "equally divided" results.

Beneath is a comparison of a 400 x 400px image generated by output from rand() (left part of image, which illustrates what is meant by "equally divided" and mt_rand() (right part of image):



Also, mt_srand() is used on line 411 (in an attempt) to seed the function used to return random integers. mt_srand() however, seeds the mt_rand() function (though regular rand() is used (which can be seeded using mt_rand())).

I suggest to:
[ulist=disc]replace rand() (line 412) by mt_rand().[/ulist][ulist=disc]include mt_srand() (line 411) in the for-loop.[/ulist]
P.S.: though mt_rand() greatly decreases predictability for returned results (see image for comparison), it's not deemed cryptographically secure.