Description

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-287

Consequences

Access Control: Bypass Protection Mechanism

Potential Mitigations

CVE References

• CVE-2002-1374
  • The provided password is only compared against the first character of the real password.

• CVE-2000-0979
  • The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password.

• CVE-2001-0088
  • Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.