[Bug 190629] New: authentication bypass in Horde_Ldap

[bz-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190629

            Bug ID: 190629
           Summary: authentication bypass in Horde_Ldap
           Product: Ports Tree
           Version: Latest
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: peo at bsdlabs.com

an authentication bypass vulnerability has been discovered in the Horde_Ldap
library that's being used by all components of the Horde project that
communicate with LDAP servers.
A fixed version has been released and everybody using LDAP in their Horde
installations is advised to upgrade to Horde_Ldap 2.0.6 as soon as possible.
So far only certain setups have been confirmed to be exploitable: The system
must use LDAP for authentication, an LDAP user must have been specified for
binding (as opposed to anonymous binding), that LDAP user must have the same
parent DN like the system users, and the attacker must guess the binding user's
name. In this case the attacker can login with the guessed name and an empty
password. Whether this actually allows for further access to data or to the
system, completely depends on the individual setup. It's possible that other
mitigation factors exist though, that haven't been discovered yet.

Thanks to Matthew Daley for detecting and reporting this vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.