PEAR Auth Input Validation Bugs Let Remote Users Falsify Authentication Credentials
SecurityTracker Alert ID: 1015666|
SecurityTracker URL: http://securitytracker.com/id/1015666
(Links to External Site)
Date: Feb 22 2006
Modification of authentication information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 1.2.4; 1.3 to prior to 1.3.0r4|
A vulnerability was reported in PEAR::Auth. A remote user may be able to falsify authentication credentials.|
Some of the PEAR::Auth Container components do not properly validate user-supplied input. A remote user can conduct injection attacks against the underlying authentication mechanism to falsify authentication credentials.
The vendor was notified on January 30, 2006.
Matt Van Gundy discovered this vulnerability.
A remote user may be able to falsify authentication credentials against applications that use the affected library.|
The vendor has issued a fixed version (1.2.4), available at:|
Vendor URL: pear.php.net/package/Auth (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: Multiple Injection Vulnerabilities in PHP PEAR::Auth Module|
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
PEAR::Auth Authentication Module Package
All versions < 1.2.4
1.3 series < 1.3.0r4
Multiple injection vulnerabilities exist in the PEAR::Auth module.
Some of the PEAR::Auth Container back ends do not fully validate
input from the user before presenting it to the underlying
authentication mechanisms. This allows a malicious user to
perform injection attacks against the underlying authentication
mechanism in order to falsify authentication credentials.
2006.01.30 - Vendor notified
2006.02.08 - Other developers contacted
2006.02.15 - Fix released
2006.02.21 - Public disclosure to Bugtraq
Matt Van Gundy <matt-spam [at] shekinahstudios [dot] com>
^^^^^ remove the -spam to get past my spamtrap
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----