Bug #711 :: *BACKDOOR* in auth package

Package home | Report new bug | New search | Development Roadmap

Status: Open | Feedback | All | Closed Since Version 1.6.4

Bug #711	BACKDOOR in auth package
Submitted:	2004-02-09 12:31 UTC
From:	mahdi dot nadir at viveris dot fr	Assigned:	mj
Status:	Closed	Package:	Auth
PHP Version:	Irrelevant	OS:	ALL
Roadmaps:	(Not assigned)
Subscription	Your email:

Comments Add patch

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes. If this is not your bug, you can add a comment by following this link. If this is your bug, but you forgot your password, you can retrieve your password here.

Password:		Check to remember your password for next time:

Status:	2004-02-16 09:25 UTC
Package:
Bug Type:
Summary:
From:	mahdi dot nadir at viveris dot fr
New email:
PHP Version:		Package Version:	OS:

New Comment:

[2004-02-09 12:31 UTC] mahdi dot nadir at viveris dot fr

Description:
------------
in pear/auth/container.php 1.15 (last) and since (1.8).
in method verifyPassword() line 85:

    function verifyPassword($password1, $password2, $cryptType = "md5")
    {
        switch ($cryptType) {
        case "crypt" :
            return (($password2 == "**" . $password1) ||
                    (crypt($password1, $password2) == $password2)
                    );
            break;
[...]

In line 85, uncrypted password (user submited) is compared with crypted password prefixed by '**'.

This feature allow any people having the crypted password to get in.

Reproduce code:
---------------
require('Auth/Container.php');

if (Auth_Container::verifyPassword('foo','**foo','crypt'))
	echo 'welcome';
else
	echo 'access denied';

Expected result:
----------------
access denied

Actual result:
--------------
welcome

Comments

[2004-02-16 09:03 UTC] lsmith

this sounds like a bug that needs to be addresses ASAP

[2004-02-16 09:25 UTC] mj

This has been fixed in CVS some days ago.