PEAR::Auth version less than 1.2.4 and 1.3.0r4 suffer from SQL injection flaws.
3181e9c1c858d0f66f213ffc468ef66ca9bf67e04f13d99ad1b4daaf96b43fb3
PRODUCT:
PEAR::Auth Authentication Module Package
http://pear.php.net/package/Auth
VERSIONS AFFECTED:
All versions < 1.2.4
1.3 series < 1.3.0r4
DESCRIPTION:
Multiple injection vulnerabilities exist in the PEAR::Auth module.
Some of the PEAR::Auth Container back ends do not fully validate
input from the user before presenting it to the underlying
authentication mechanisms. This allows a malicious user to
perform injection attacks against the underlying authentication
mechanism in order to falsify authentication credentials.
TIMELINE:
2006.01.30 - Vendor notified
2006.02.08 - Other developers contacted
2006.02.15 - Fix released
2006.02.21 - Public disclosure to Bugtraq
DISCOVERED BY:
Matt Van Gundy <matt-spam [at] shekinahstudios [dot] com>
^^^^^ remove the -spam to get past my spamtrap