# CVE-2024-27632 Vulnerability Details
## Overview
In Savane v3.12 and prior, the Unix timestamp is used as a seed in the Pseudo-Random Number Generator (PRNG) used to generate Cross-Site Request Forgery (CSRF) protection tokens (`form_id`). As a result, an attacker may be able to independently generate the same valid CSRF token that was assigned to a victim user, thereby passing CSRF checks and leading to a successful CSRF attack. The impact of a CSRF attack includes privilege escalation and account takeover.
**CWE Classification:** CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
**Reported By:** Ally Petitt
**Affected Product**: Savane
**Affected Versions**: 3.12 and prior
## Technical Details
Before the `form_id` is generated, `utils_srand()` is called. Then, the generated `form_id` is created as an MD5 hash of a value generated by PHP's PRNG.
_frontend/php/include/form.php:61_
```
if (!$form_id)
{
utils_srand ();
$form_id = md5 (mt_rand (0, 1000000));
}
```
As shown in the code block below, `utils_srand()` is defined as a function that seeds the `microtime()`, a function that returns the Unix timestamp, multiplied by 1,000,000.
_frontend/php/include/utils.php:969_
```
function utils_srand ()
{
mt_srand ((int)((double)microtime () * 1000000));
}
```
As a result, the Unix timestamp, a predictable value, is used to generate a security-critical psuedo-random number. The time that a user's token was created can potentially be guessed or triggered by an attacker in order to obtain a valid timestamp that they can use to craft a valid CSRF token.
## Validation Steps
These steps aim to demonstrate that knowing the timestamp is enough to generate a valid token independently. Real-world attack strategies may involve additional creativity in order to ensure that the correct timestamp of the token creation is being deduced.
1. Visit a Savane webpage that generates a `form_id`.
2. Note the Unix timestamp that you visited that page.
3. Replace `$RECORDED_UNIX_TIME` with the time that was recorded and un the following PHP script. Observe that the value generated matches the `form_id` that the server returned upon initially visiting the webpage.
```
<?php
mt_srand ((int)((double)$RECORDED_UNIX_TIME* 1000000));
echo md5 (mt_rand (0, 1000000));
?>
```
## Mitigation
Upgrade to Savane version 3.13 or higher. The patch can be found [here](https://git.savannah.nongnu.org/cgit/administration/savane.git/commit/?h=i18n&id=dee5195d18f9ab16c860e8114819083673f66b95).