GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue Sep 06, 2005 1:52 pm Post subject: [ GLSA 200509-04 ] phpLDAPadmin: Authentication bypass |
|
|
Gentoo Linux Security Advisory
Title: phpLDAPadmin: Authentication bypass (GLSA 200509-04)
Severity: low
Exploitable: remote
Date: September 06, 2005
Bug(s): #104293
ID: 200509-04
Synopsis
A flaw in phpLDAPadmin may allow attackers to bypass security restrictions
and connect anonymously.
Background
phpLDAPadmin is a web-based LDAP client allowing to easily manage
LDAP servers.
Affected Packages
Package: net-nds/phpldapadmin
Vulnerable: < 0.9.7_alpha6
Unaffected: >= 0.9.7_alpha6
Architectures: All supported architectures
Description
Alexander Gerasiov discovered a flaw in login.php preventing the
application from validating whether anonymous bind has been disabled in
the target LDAP server configuration.
Impact
Anonymous users can access the LDAP server, even if the
"disable_anon_bind" parameter was explicitly set to avoid this.
Workaround
There is no known workaround at this time.
Resolution
All phpLDAPadmin users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-nds/phpldapadmin-0.9.7_alpha6" |
References
CAN-2005-2654
Secunia Advisory SA16611
Last edited by GLSA on Fri Jan 20, 2012 4:20 am; edited 5 times in total |
|