| VID |
22530 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
According to its banner, PHP 5.3.7 is installed on the remote host. This version contains a bug in the crypt() function when generating salted MD5 hashes. The function only returns the salt rather than the salt and hash. Any authentication mechanism that uses crypt() could authorize all authentication attempts due to this bug.
* Note: This check solely relied on the version number of the remote WebLogic server to assess this vulnerability, so this might be a false positive.
* References:
https://bugs.php.net/bug.php?id=55439
http://www.php.net/archive/2011.php#id2011-08-23-1
* Platforms Affected:
PHP Prior to 5.3.8
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP (5.3.8 or later), available from the Mozilla Web site at http://www.php.net/downloads.php |
| Related URL |
CVE-2011-3189 (CVE) |
| Related URL |
49376 (SecurityFocus) |
| Related URL |
69429 (ISS) |
|
