Описание
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
Отчет
This issue did not affect the version of php as shipped with Red Hat Enterprise Linux 5 as it did not include FreeSec's libcrypt cryptographic algorithms implementation yet. This issue was addressed in php53 package for Red Hat Enterprise Linux 5 via RHSA-2012:1047 and in php package for Red Hat Enterprise Linux 6 via RHSA-2012:1046.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | php | Not affected | ||
| Red Hat Enterprise Linux 5 | postgresql | Fixed | RHSA-2012:1036 | 25.06.2012 |
| Red Hat Enterprise Linux 5 | postgresql84 | Fixed | RHSA-2012:1037 | 25.06.2012 |
| Red Hat Enterprise Linux 5 | php53 | Fixed | RHSA-2012:1047 | 27.06.2012 |
| Red Hat Enterprise Linux 6 | postgresql | Fixed | RHSA-2012:1037 | 25.06.2012 |
| Red Hat Enterprise Linux 6 | php | Fixed | RHSA-2012:1046 | 27.06.2012 |
Показывать по
Дополнительная информация
Статус:
EPSS
4 Medium
CVSS2
Связанные уязвимости
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-REL ...
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
EPSS
4 Medium
CVSS2