blob: d36156cade6637df9deec2e5c2a704144408102c [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200603-13">
<title>PEAR-Auth: Potential authentication bypass</title>
PEAR-Auth did not correctly verify data passed to the DB and LDAP
containers, thus allowing to inject false credentials to bypass the
<product type="ebuild">pear-auth</product>
<announced>March 17, 2006</announced>
<revised>March 17, 2006: 01</revised>
<package name="dev-php/PEAR-Auth" auto="yes" arch="*">
<unaffected range="ge">1.2.4</unaffected>
<vulnerable range="lt">1.2.4</vulnerable>
PEAR-Auth is a PEAR package that provides methods to create a PHP
based authentication system.
Matt Van Gundy discovered that PEAR-Auth did not correctly
validate data passed to the DB and LDAP containers.
<impact type="normal">
A remote attacker could possibly exploit this vulnerability to
bypass the authentication mechanism by injecting specially crafted
input to the underlying storage containers.
There is no known workaround at this time.
All PEAR-Auth users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-php/PEAR-Auth-1.2.4&quot;</code>
<uri link="">CVE-2006-0868</uri>
<metadata tag="requester" timestamp="Tue, 14 Mar 2006 21:29:18 +0000">
<metadata tag="bugReady" timestamp="Tue, 14 Mar 2006 21:29:45 +0000">
<metadata tag="submitter" timestamp="Tue, 14 Mar 2006 23:22:04 +0000">