[Bug 190629] New: authentication bypass in Horde_Ldap
bz-noreply at freebsd.org
bz-noreply at freebsd.org
Wed Jun 4 21:48:59 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190629
Bug ID: 190629
Summary: authentication bypass in Horde_Ldap
Product: Ports Tree
Version: Latest
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: peo at bsdlabs.com
an authentication bypass vulnerability has been discovered in the Horde_Ldap
library that's being used by all components of the Horde project that
communicate with LDAP servers.
A fixed version has been released and everybody using LDAP in their Horde
installations is advised to upgrade to Horde_Ldap 2.0.6 as soon as possible.
So far only certain setups have been confirmed to be exploitable: The system
must use LDAP for authentication, an LDAP user must have been specified for
binding (as opposed to anonymous binding), that LDAP user must have the same
parent DN like the system users, and the attacker must guess the binding user's
name. In this case the attacker can login with the guessed name and an empty
password. Whether this actually allows for further access to data or to the
system, completely depends on the individual setup. It's possible that other
mitigation factors exist though, that haven't been discovered yet.
Thanks to Matthew Daley for detecting and reporting this vulnerability.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list