Due to poor design the gen_rand_string() can only generate up to 1 million hashes or random strings. This allow an attacker to reset any account through the lost password request form by “predicting” the validation id and the new password for the account. Vulnerabilities verified on phpBB 2.0.19 and IPB 2.1.4.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/43633/PseudoRandom-php.txt
Source: https://packetstormsecurity.com/files/43633/PseudoRandom-php.txt.html