Issue Type: Bug Created: 2011-10-24T12:58:29.000+0000 Last Updated: 2011-10-24T15:24:36.000+0000 Status: Resolved Fix version(s): - 1.11.12 (22/Jun/12)
Reporter: Mike Kiscaden (mrkiscaden) Assignee: Stefan Gehrig (sgehrig) Tags: - Zend_Auth_Adapter_Ldap
Related issues: Attachments:
I am using Zend 1.11.11. The Zend_Auth_Adapter_Ldap adapter makes an effort to conceal the password of the user in the stacktrace by doing a string replace on line 374.
$messages = str_replace($password, '*****', $zle->getTraceAsString());
However this method is not secure. Any password that happens to have the same combination of letters as other words in the stack trace can be derived by reading the stack trace. For example, If my username is "administrator" and my password is "admin", my stacktrace would look like this:
Anyone who reads the stack trace would immediately know the password for administrator is admin.
Posted by Stefan Gehrig (sgehrig) on 2011-10-24T15:24:36.000+0000
Fixed in trunk (r24526), in 1.11-release branch (r24527) and in ZF2 (https://github.com/zendframework/zf2/pull/526)
Have you found an issue?
See the Overview section for more details.