You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DoctrineModule version 0.7.2 has been just released and includes a security fix for #248 via @5f79a9f7b and @78018ef568,
Affected versions
All versions below 0.7.2 are affected. dev-master and 0.8.x are not affected starting from @78018ef568.
Description
As of #248 it is possible (under certain circumstances) to obtain a valid Zend\Authentication identity even without knowing the user's credentials by using a numerically valued credential in DoctrineModule\Authentication\Adapter\ObjectRepository.
Assuming a user with username "admin" a password hash "00000" (or numerically casted equivalent) on the database, following code will authenticate the user (assuming no hashing method is applied to the input credential):
If you are using an affected version of DoctrineModule (any version below 0.7.2), you must upgrade as soon as possible by running a composer update. Please ensure that you have at least version 0.7.2 of installed.
Credits
This issue was discovered by @atans and a fix was quickly developed by @bakura10: thanks to both!
The text was updated successfully, but these errors were encountered:
Security advisory: zero-valued authentication credentials vulnerability
DoctrineModule
version0.7.2
has been just released and includes a security fix for #248 via @5f79a9f7b and @78018ef568,Affected versions
All versions below
0.7.2
are affected.dev-master
and0.8.x
are not affected starting from @78018ef568.Description
As of #248 it is possible (under certain circumstances) to obtain a valid
Zend\Authentication
identity even without knowing the user's credentials by using a numerically valued credential inDoctrineModule\Authentication\Adapter\ObjectRepository
.Exploits
Because of a mistake in how authentication credentials are compared in
DoctrineModule\Authentication\Adapter\ObjectRepository
it is possible to authenticate against an application with a numeric credential value.Assuming a user with username
"admin"
a password hash"00000"
(or numerically casted equivalent) on the database, following code will authenticate the user (assuming no hashing method is applied to the input credential):Resolution
If you are using an affected version of DoctrineModule (any version below
0.7.2
), you must upgrade as soon as possible by running acomposer update
. Please ensure that you have at least version0.7.2
of installed.Credits
This issue was discovered by @atans and a fix was quickly developed by @bakura10: thanks to both!
The text was updated successfully, but these errors were encountered: