The GUID function basically is a loop that grabs pseudo-random values from mt-rand() (http://php.net/manual/en/function.mt-rand.php) in succession, and I'm pretty sure its vulnerable to (fast) Seed-Cracking attacks (http://www.openwall.com/php_mt_seed/) and could allow an attacker to determine the seed/s used to create their GUID.. which could lead them to determining future GUIDs. Applications using this function to create tokens for file-access for example, would allow attackers to access files other than their own.
Note, the fact that more than one use of mt-rand() is used DOES NOT make the complexity to crack exponentially harder, as you might expect.. since the values are drawn in succession using the previous state of mt-rand, meaning that ultimately all 8 values are dependant on the result of the first.
The GUID function basically is a loop that grabs pseudo-random values from mt-rand() (http://php.net/manual/en/function.mt-rand.php) in succession, and I'm pretty sure its vulnerable to (fast) Seed-Cracking attacks (http://www.openwall.com/php_mt_seed/) and could allow an attacker to determine the seed/s used to create their GUID.. which could lead them to determining future GUIDs. Applications using this function to create tokens for file-access for example, would allow attackers to access files other than their own.
Note, the fact that more than one use of mt-rand() is used DOES NOT make the complexity to crack exponentially harder, as you might expect.. since the values are drawn in succession using the previous state of mt-rand, meaning that ultimately all 8 values are dependant on the result of the first.
Fix: as stated on the PHP site, use this: http://php.net/manual/en/function.openssl-random-pseudo-bytes.php