Uses String::Random with rand rng
Hi,
Looking at the code of the master branch, several modules use a weak random-number generator:
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Ext2F.pm
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm
By default String::Random uses Perl's rand
rng, which is not suitable for use in crypto-related code. Given that the rand_gen
method doesn't seem to be used anywhere in the codebase I assume that LL::NG uses rand in those cases.
I have not tried to exploit this weakness.
Lemonldap::NG::Portal::Lib::SAML also use
's String::Random, but none of its methods seem to be used.