ZF-11839: Security concern with Zend_Auth_Adapter_Ldap

Issue Type: Bug Created: 2011-10-24T12:58:29.000+0000 Last Updated: 2011-10-24T15:24:36.000+0000 Status: Resolved Fix version(s): - 1.11.12 (22/Jun/12)

Reporter: Mike Kiscaden (mrkiscaden) Assignee: Stefan Gehrig (sgehrig) Tags: - Zend_Auth_Adapter_Ldap

Related issues: Attachments:


I am using Zend 1.11.11. The Zend_Auth_Adapter_Ldap adapter makes an effort to conceal the password of the user in the stacktrace by doing a string replace on line 374.

$messages[] = str_replace($password, '*****', $zle->getTraceAsString());

However this method is not secure. Any password that happens to have the same combination of letters as other words in the stack trace can be derived by reading the stack trace. For example, If my username is "administrator" and my password is "admin", my stacktrace would look like this:

authenticate('*****istrator', '*****')

Anyone who reads the stack trace would immediately know the password for administrator is admin.


Posted by Stefan Gehrig (sgehrig) on 2011-10-24T15:24:36.000+0000

Fixed in trunk (r24526), in 1.11-release branch (r24527) and in ZF2 (

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.