PHP 'crypt()' Function Security Bypass Vulnerability Network Vulnerability

Summary

This host is running PHP and is prone to security bypass vulnerability.

Impact

Successful exploitation could allow remote attackers to bypass authentication via an arbitrary password. Impact Level: Application

Solution

Upgrade to PHP version 5.3.8 or later. For updates refer to http://www.php.net/downloads.php

Insight

The flaw is due to an error in 'crypt()' function which returns the salt value instead of hash value when executed with MD5 hash, which allows attacker to bypass authentication via an arbitrary password.

Affected

PHP version 5.3.7

References

http://osvdb.org/show/osvdb/74726
http://secunia.com/advisories/45678
http://www.php.net/archive/2011.php#id2011-08-22-1

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-3189

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N

Related Vulnerabilities

AVG Anti-Virus 'hcp://' Protocol Handler Remote Code Execution Vulnerability
Adobe Flash Player/Air Multiple Vulnerabilities -feb10 (Win)
Adobe Flash Player Unspecified Cross-Site Scripting Vulnerability June-2011 (Linux)
Apple Safari Multiple Memory Corruption Vulnerabilities-01 Aug14 (Mac OS X)
Adobe Reader Information Disclosure & Denial of Service Vulnerabilities (Windows)

Take action and discover your vulnerabilities