Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PEAR Auth Vendors:   PHP Group
PEAR Auth Input Validation Bugs Let Remote Users Falsify Authentication Credentials
SecurityTracker Alert ID:  1015666
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 22 2006
Impact:   Modification of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.2.4; 1.3 to prior to 1.3.0r4
Description:   A vulnerability was reported in PEAR::Auth. A remote user may be able to falsify authentication credentials.

Some of the PEAR::Auth Container components do not properly validate user-supplied input. A remote user can conduct injection attacks against the underlying authentication mechanism to falsify authentication credentials.

The vendor was notified on January 30, 2006.

Matt Van Gundy discovered this vulnerability.

Impact:   A remote user may be able to falsify authentication credentials against applications that use the affected library.
Solution:   The vendor has issued a fixed version (1.2.4), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  Multiple Injection Vulnerabilities in PHP PEAR::Auth Module

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

    PEAR::Auth Authentication Module Package

    All versions < 1.2.4
    1.3 series < 1.3.0r4

    Multiple injection vulnerabilities exist in the PEAR::Auth module.
    Some of the PEAR::Auth Container back ends do not fully validate
    input from the user before presenting it to the underlying
    authentication mechanisms.  This allows a malicious user to
    perform injection attacks against the underlying authentication
    mechanism in order to falsify authentication credentials.

    2006.01.30 - Vendor notified
    2006.02.08 - Other developers contacted
    2006.02.15 - Fix released
    2006.02.21 - Public disclosure to Bugtraq

    Matt Van Gundy <matt-spam [at] shekinahstudios [dot] com>
                        ^^^^^ remove the -spam to get past my spamtrap

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Mozilla -




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC