Gentoo Logo

phpLDAPadmin: Authentication bypass

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200509-04 / phpLDAPadmin
Release Date September 06, 2005
Latest Revision September 06, 2005: 01
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-nds/phpldapadmin < 0.9.7_alpha6 >= 0.9.7_alpha6 All supported architectures

Related bugreports: #104293

Synopsis

A flaw in phpLDAPadmin may allow attackers to bypass security restrictions and connect anonymously.

2.  Impact Information

Background

phpLDAPadmin is a web-based LDAP client allowing to easily manage LDAP servers.

Description

Alexander Gerasiov discovered a flaw in login.php preventing the application from validating whether anonymous bind has been disabled in the target LDAP server configuration.

Impact

Anonymous users can access the LDAP server, even if the "disable_anon_bind" parameter was explicitly set to avoid this.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All phpLDAPadmin users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nds/phpldapadmin-0.9.7_alpha6"

4.  References

Print

Page updated September 06, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.