php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21113 Auth bug
Submitted: 2002-12-20 08:20 UTC Modified: 2003-01-03 05:57 UTC
From: entis at poczta dot fm Assigned:
Status: Closed Package: PEAR related
PHP Version: 4.2.3 OS: winxp
Private report: No CVE-ID: None
 [2002-12-20 08:20 UTC] entis at poczta dot fm
there is dangerous bug in Auth package !

In file \Auth\Container\DB.php 
In method Auth_Container_DB::fetchData
In lines :
...
$res = $this->query($query);
if (DB::isError($res)) {
  return PEAR::raiseError($res->code, PEAR_ERROR_DIE);
} else {
...

compare raiseError definition :

    function &raiseError($message = null,
                         $code = null,
                         $mode = null,
                         $options = null,
                         $userinfo = null,
                         $error_class = null,
                         $skipmsg = false)

code should be second parameter and mode should be third parameter. 

I check if something go wrong in fetching data from database, this code don't stop program (PEAR_ERROR_DIE isn't in correct place) and user can gain unauthorized access. Solution is very simple :

...
$res = $this->query($query);
if (DB::isError($res)) {
  return PEAR::raiseError('',$res->code, PEAR_ERROR_DIE);
} else {
...

i have also proposition for Auth::login method :

replace this line :

$login_ok = $this->storage->fetchData($this->username, $this->password);

with this line :
$login_ok = ($this->storage->fetchData($this->username, $this->password) === TRUE);







Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-12-20 08:30 UTC] entis at poczta dot fm
the same bug is in methods :
_connect
addUser
removeUser
listUsers
 [2003-01-03 05:57 UTC] mj@php.net
I've fixed the wrong usage of raiseError(). The changes will appear in the next release.

Thanks for noticing!
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Oct 28 17:03:35 2021 UTC