Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication Vulnerability - possible attempt to login via zero-valued password credential #249

Closed
Ocramius opened this issue May 16, 2013 · 2 comments
Closed

Authentication Vulnerability - possible attempt to login via zero-valued password credential #249

Ocramius opened this issue May 16, 2013 · 2 comments
Assignees
@Ocramius
Labels
Bug

Comments

@Ocramius
Copy link
Member

Security advisory: zero-valued authentication credentials vulnerability

DoctrineModule version 0.7.2 has been just released and includes a security fix for #248 via @5f79a9f7b and @78018ef568,

Affected versions

All versions below 0.7.2 are affected. dev-master and 0.8.x are not affected starting from @78018ef568.

Description

As of #248 it is possible (under certain circumstances) to obtain a valid Zend\Authentication identity even without knowing the user's credentials by using a numerically valued credential in DoctrineModule\Authentication\Adapter\ObjectRepository.

Exploits

Because of a mistake in how authentication credentials are compared in DoctrineModule\Authentication\Adapter\ObjectRepository it is possible to authenticate against an application with a numeric credential value.

Assuming a user with username "admin" a password hash "00000" (or numerically casted equivalent) on the database, following code will authenticate the user (assuming no hashing method is applied to the input credential):

$adapter = new \DoctrineModule\Authentication\Adapter\ObjectRepository()

$adapter->setOptions(array(
     'object_repository' => $objectRepository,
     'credential_property' => 'password',
     'identity_property' => 'username'
));

$adapter->setIdentityValue('admin');
$adapter->setCredentialValue('0');

var_dump($authService->authenticate()->isValid()); // true

Resolution

If you are using an affected version of DoctrineModule (any version below 0.7.2), you must upgrade as soon as possible by running a composer update. Please ensure that you have at least version 0.7.2 of installed.

Credits

This issue was discovered by @atans and a fix was quickly developed by @bakura10: thanks to both!
@ghost ghost assigned Ocramius May 16, 2013
Ocramius added a commit to Ocramius/security-advisories that referenced this issue May 16, 2013
@Ocramius
Zero-valued auth credential as of doctrine/DoctrineModule#249
dbadacd
@Ocramius Ocramius mentioned this issue May 16, 2013
Merged
fabpot added a commit to FriendsOfPHP/security-advisories that referenced this issue May 16, 2013
@fabpot
Merge pull request #5 from Ocramius/doctrine-module/zero-password-auth
caf6b7a 
Zero-valued auth credential as of doctrine/DoctrineModule#249
@superdweebie
Copy link
Contributor

@Ocramius @bakura10 @atans great job on the discovery, report, and quick fix. A very big thank you. I think I was the one who introduced the problem :(

@Ocramius
Copy link
Member Author

Doesn't matter, it's fixed :)
On 16 May 2013 23:50, "Tim Roediger" notifications@github.com wrote:

@Ocramius https://github.com/Ocramius @bakura10https://github.com/bakura10
@atans https://github.com/atans great job on the discovery, report, and
quick fix. A very big thank you. I think I was the one who introduced the
problem :(


Reply to this email directly or view it on GitHubhttps://github.com//issues/249#issuecomment-18031456
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ocramius Ocramius

Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ocramius @superdweebie