ZendTo Authentication Bypass Vulnerability in NSS Authenticator

A type confusion vulnerability has been identified in ZendTo versions prior to 5.04-7, specifically within the NSSAuthenticator component. This vulnerability allows remote attackers to bypass authentication for users whose passwords are stored as MD5 hashes that can be interpreted as numerical values. The issue arises because the authentication process improperly compares hashed passwords, enabling exploitation through crafted input. Additionally, for ZendTo versions greater than 5.03-1, the authentication bypass still affects users with legacy MD5 hashes.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, bypassing the normal authentication process.

Reproduction

To reproduce this vulnerability, log in to a ZendTo instance using a username with a legacy MD5 password hash that starts with '0e' followed by numbers. The authentication process will incorrectly validate the password, allowing access to the user account.

Remediation

Upgrade to ZendTo version 5.04-7 or later and have all users log in at least once to transition their passwords to bcrypt.