ZF-11839: Security concern with Zend_Auth_Adapter_Ldap


I am using Zend 1.11.11. The Zend_Auth_Adapter_Ldap adapter makes an effort to conceal the password of the user in the stacktrace by doing a string replace on line 374.

$messages[] = str_replace($password, '*****', $zle->getTraceAsString());

However this method is not secure. Any password that happens to have the same combination of letters as other words in the stack trace can be derived by reading the stack trace. For example, If my username is "administrator" and my password is "admin", my stacktrace would look like this:

authenticate('*****istrator', '*****')

Anyone who reads the stack trace would immediately know the password for administrator is admin.


Fixed in trunk (r24526), in 1.11-release branch (r24527) and in ZF2 (