Security advisory: zero-valued authentication credentials vulnerability

DoctrineModule version 0.7.2 has been just released and includes a security fix for #248 via @5f79a9f7b and @78018ef568,

Affected versions

All versions below 0.7.2 are affected. dev-master and 0.8.x are not affected starting from @78018ef568.

Description

As of #248 it is possible (under certain circumstances) to obtain a valid Zend\Authentication identity even without knowing the user's credentials by using a numerically valued credential in DoctrineModule\Authentication\Adapter\ObjectRepository.

Exploits

Because of a mistake in how authentication credentials are compared in DoctrineModule\Authentication\Adapter\ObjectRepository it is possible to authenticate against an application with a numeric credential value.

Assuming a user with username "admin" a password hash "00000" (or numerically casted equivalent) on the database, following code will authenticate the user (assuming no hashing method is applied to the input credential):

$adapter = new \DoctrineModule\Authentication\Adapter\ObjectRepository()

$adapter->setOptions(array(
     'object_repository' => $objectRepository,
     'credential_property' => 'password',
     'identity_property' => 'username'
));

$adapter->setIdentityValue('admin');
$adapter->setCredentialValue('0');

var_dump($authService->authenticate()->isValid()); // true

Resolution

If you are using an affected version of DoctrineModule (any version below 0.7.2), you must upgrade as soon as possible by running a composer update. Please ensure that you have at least version 0.7.2 of installed.

Credits

This issue was discovered by @atans and a fix was quickly developed by @bakura10: thanks to both!