Posted by dokumori on February 9, 2013 at 1:42am
In this paper it is reported many PHP applications make false assumption about the true randomeness of the core PHP random funcions and it might lead to attacks, for example using the password reset features. Drupal may also be affected by this e.g. 6 session cookie generation.
If anyone researches this and find Drupal to be actually vulnerable, please report to the security team.