| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.6.4 |
| Bug #711 | *BACKDOOR* in auth package | ||
|---|---|---|---|
| Submitted: | 2004-02-09 12:31 UTC | ||
| From: | mahdi dot nadir at viveris dot fr | Assigned: | mj |
| Status: | Closed | Package: | Auth |
| PHP Version: | Irrelevant | OS: | ALL |
| Roadmaps: | (Not assigned) | ||
[2004-02-09 12:31 UTC] mahdi dot nadir at viveris dot fr
Description:
------------
in pear/auth/container.php 1.15 (last) and since (1.8).
in method verifyPassword() line 85:
function verifyPassword($password1, $password2, $cryptType = "md5")
{
switch ($cryptType) {
case "crypt" :
return (($password2 == "**" . $password1) ||
(crypt($password1, $password2) == $password2)
);
break;
[...]
In line 85, uncrypted password (user submited) is compared with crypted password prefixed by '**'.
This feature allow any people having the crypted password to get in.
Reproduce code:
---------------
require('Auth/Container.php');
if (Auth_Container::verifyPassword('foo','**foo','crypt'))
echo 'welcome';
else
echo 'access denied';
Expected result:
----------------
access denied
Actual result:
--------------
welcome