BugTraq
Multiple Injection Vulnerabilities in PHP PEAR::Auth Module Feb 22 2006 06:01AM
Matt Van Gundy (matt shekinahstudios com) (1 replies)
PRODUCT:
PEAR::Auth Authentication Module Package
http://pear.php.net/package/Auth

VERSIONS AFFECTED:
All versions < 1.2.4
1.3 series < 1.3.0r4

DESCRIPTION:
Multiple injection vulnerabilities exist in the PEAR::Auth module.
Some of the PEAR::Auth Container back ends do not fully validate
input from the user before presenting it to the underlying
authentication mechanisms. This allows a malicious user to
perform injection attacks against the underlying authentication
mechanism in order to falsify authentication credentials.

TIMELINE:
2006.01.30 - Vendor notified
2006.02.08 - Other developers contacted
2006.02.15 - Fix released
2006.02.21 - Public disclosure to Bugtraq

DISCOVERED BY:
Matt Van Gundy <matt-spam [at] shekinahstudios [dot] com>
^^^^^ remove the -spam to get past my spamtrap

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD+/5ffdMeesRSEA0RAzwxAJ9qTgME3sGkYoA9kI/3MkZ1kWfsDgCeMVP/
4BrknWaPtNPywTvF/idV4nE=
=Gkks
-----END PGP SIGNATURE-----

[ reply ]
Re: Multiple Injection Vulnerabilities in PHP PEAR::Auth Module Feb 22 2006 08:32PM
Benjamin R. Ginter (bginter ndevtech net)


 

Privacy Statement
Copyright 2010, SecurityFocus