PT-2012-3948 · Debian+2 · Debian+2
Kurt Seifried
·
Published
2012-08-07
·
Updated
2012-08-08
·
CVE-2012-2317
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
PHP versions 5.3.x through 5.3.2
php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze
php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS
php5 package before 5.3.5-1ubuntu7.10 in Ubuntu 11.04
Description
The issue arises from the improper handling of an empty salt string in the PHP crypt function, potentially allowing remote attackers to bypass authentication in applications that rely on this function for password hashing.
Recommendations
For PHP 5.3.x, update to version 5.3.3 or later.
For Debian GNU/Linux squeeze, update the php5 package to 5.3.3-7+squeeze4 or later.
For Ubuntu 10.04 LTS, update the php5 package to 5.3.2-1ubuntu4.17 or later.
For Ubuntu 11.04, update the php5 package to 5.3.5-1ubuntu7.10 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Php
Ubuntu