we are running Fortify scans on various Drupal modules, and a common critical/high result is "Insecure Randomness". It states that the rand() function cannot withstand a cryptographic attack.
My question - is this a serious concern? How to fix it in PHP?
Thank you.
mt_rand?
The answer to this question entirely depends on what you are using the results from the rand() call for.
If you're using them for things like cryptographic keys, where the security of the tool depends on the randomness of your random numbers, then, yes, this is a serious concern. In that case, you should not call rand() or mt_rand(), as both do not produce "random" numbers that are sufficiently random to rely on for cryptographic use. You really want to make use of the platform you're running on's underlying pseudorandom number generator (PRNG) - /dev/urandom on a Unix/Linux system or the crypto-api on a Windows system - as these have been studied extensively and produce really random numbers that are suitable for use in cryptosystems. PHP doesn't make accessing these random sources all that easy, but examples do exist on how to do so (like this -> http://www.php.net/manual/en/function.mt-rand.php#83655).
If you're using randoms for something else, like to randomize which option is presented to the user first, or something like that, where the numbers produced are not being used in any cryptographical way, then you may be able to get away with using rand() or mt_rand(). But, if your applications/modules rely on good random numbers for their security, you really need to take advantage of the OS sources, as described above.