Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-3189

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2011-3189
Last Modified 03 Feb 2012 11:00:45
Published 25 Aug 2011 10:22:48
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-3189

Summary

The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483.

Vulnerable Systems

Application

  • Php 5.3.7


References

CONFIRM - https://bugs.php.net/bug.php?id=55439

CONFIRM - https://bugs.gentoo.org/show_bug.cgi?id=380261

XF - php-crypt-security-bypass(69429)

CONFIRM - http://www.php.net/ChangeLog-5.php#5.3.8

CONFIRM - http://www.php.net/archive/2011.php#id2011-08-23-1

MLIST - [oss-security] 20110823 CVE assignment - PHP salt flaw CVE-2011-3189

SECUNIA - 45678

OSVDB - 74726

CONFIRM - http://support.apple.com/kb/HT5130

APPLE - APPLE-SA-2012-02-01-1

Related Patches

Apple 2012-02-01 Mac OS X Server 10.7.3 Update

Apple 2012-02-01 Mac OS X 10.7.3 Update

Apple 2012-02-01 Mac OS X Server 10.7.3 Combo Update

Apple 2012-02-01 Mac OS X 10.7.3 Combo Update

Apple 2012-02-01 Security Update 2012-001 v1.1 Server (Snow Leopard)

Apple 2012-02-01 Security Update 2012-001 v1.1 (Snow Leopard)


Last Updated: 27 May 2016 10:56:27