Bug Report #1944
Calling Auth->find_salt() with an empty string and throws an "Uninitialized string offset" error
|Assignee:||Kiall Mac Innes||% Done:|
This happens whenever one calls Auth->login() with a username that doesn't match any existing user, and thus provides a way for an attacker to determine what users exist in the database.
This bug was introduced by r4367.
Reverting to the old substr() code, or adding an isset() check would fix it.
#5 Updated by Dave Evans over 5 years ago
- File Auth.php.diff added
- Status changed from Closed to Feedback
I don't mean to be a PITA here (and I promise I'll shut up after this), but 2.3.4 is the version currently on offer as the latest stable release on the Kohana website. It contains a bug with security implications and a trivial fix. I think that's worth dealing with.
Given the API changes, not everyone is going to want to upgrade exisiting projects to 2.4 so it would be nice to provide them with a secure and stable 2.3 branch. (Incidentally, I'm not the only one to have run into this bug - it's mentioned in the forums: http://forum.kohanaphp.com/comments.php?DiscussionID=2702&page=1#Item_5)
Attached is a one-line patch that reverts the offending change. Is there any chance someone could apply it and update the 2.3 release accordingly?
Thanks for all the hard work you guys put into Kohana, it's very much appreciated.
#6 Updated by Kiall Mac Innes over 5 years ago
- Status changed from Feedback to Assigned
TBH - I think Dave is correct.
This is a security issue in the latest stable release of Kohana. I'll fix this in SVN trunk, but there will not be a 2.3.5 release considering 2.4 is due 9/9/9.
Jeremy - feel free to overrule me here if I'm out of line ;)
#8 Updated by Kiall Mac Innes over 5 years ago
- Status changed from Assigned to Closed
- Target version set to 1.0.0
- % Done changed from 0 to 90
It was decided to release the auth fix as an addon module, this was always the plan for 2.4.
auth will be removed from the 2.3.4 download and the site will be updated to reflect the change. (ticket #2068)