Bug Report #1944

Calling Auth->find_salt() with an empty string and throws an "Uninitialized string offset" error

Added by Dave Evans over 5 years ago. Updated about 5 years ago.

Status:ClosedStart date:08/13/2009
Priority:UrgentDue date:
Assignee:Kiall Mac Innes% Done:


Target version:1.0.0
Resolution:invalid Points:


This happens whenever one calls Auth->login() with a username that doesn't match any existing user, and thus provides a way for an attacker to determine what users exist in the database.

This bug was introduced by r4367.

Reverting to the old substr() code, or adding an isset() check would fix it.

Auth.php.diff Magnifier (391 Bytes) Dave Evans, 09/02/2009 02:24 PM

Related issues

Related to Kohana v2.x - Bug Report #1214: Patches to change substr($x, $y, 1) to $x[$y] Closed


#1 Updated by Jeremy Bush over 5 years ago

  • Assignee set to Kiall Mac Innes
  • Priority changed from High to Urgent
  • Target version set to 2.4

#2 Updated by Kiall Mac Innes over 5 years ago

  • Status changed from New to Closed
  • Resolution set to invalid

Turns out the changes from #1214 were never merged to the 2.4 branch, this bug does not exist in 2.4.

#3 Updated by Dave Evans about 5 years ago

  • Status changed from Closed to Feedback
  • Target version changed from 2.4 to 2.3.4

Glad this doesn't exist in 2.4. Can you also fix it in 2.3.4, please?

#4 Updated by Jeremy Bush about 5 years ago

  • Status changed from Feedback to Closed

The 2.3.x branch is no longer being maintained.

#5 Updated by Dave Evans about 5 years ago

  • File Auth.php.diffMagnifier added
  • Status changed from Closed to Feedback

I don't mean to be a PITA here (and I promise I'll shut up after this), but 2.3.4 is the version currently on offer as the latest stable release on the Kohana website. It contains a bug with security implications and a trivial fix. I think that's worth dealing with.

Given the API changes, not everyone is going to want to upgrade exisiting projects to 2.4 so it would be nice to provide them with a secure and stable 2.3 branch. (Incidentally, I'm not the only one to have run into this bug - it's mentioned in the forums: http://forum.kohanaphp.com/comments.php?DiscussionID=2702&page=1#Item_5)

Attached is a one-line patch that reverts the offending change. Is there any chance someone could apply it and update the 2.3 release accordingly?

Thanks for all the hard work you guys put into Kohana, it's very much appreciated.

#6 Updated by Kiall Mac Innes about 5 years ago

  • Status changed from Feedback to Assigned

TBH - I think Dave is correct.

This is a security issue in the latest stable release of Kohana. I'll fix this in SVN trunk, but there will not be a 2.3.5 release considering 2.4 is due 9/9/9.

Jeremy - feel free to overrule me here if I'm out of line ;)

#7 Updated by Kiall Mac Innes about 5 years ago

  • Project changed from Kohana v2.x to Auth Module for v2.x
  • Category deleted (Modules:Auth)
  • Target version deleted (2.3.4)

#8 Updated by Kiall Mac Innes about 5 years ago

  • Status changed from Assigned to Closed
  • Target version set to 1.0.0
  • % Done changed from 0 to 90

It was decided to release the auth fix as an addon module, this was always the plan for 2.4.

auth will be removed from the 2.3.4 download and the site will be updated to reflect the change. (ticket #2068)

Also available in: Atom PDF