Gentoo Logo

phpLDAPadmin: Authentication bypass


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200509-04 / phpLDAPadmin
Release Date September 06, 2005
Latest Revision September 06, 2005: 01
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-nds/phpldapadmin < 0.9.7_alpha6 >= 0.9.7_alpha6 All supported architectures

Related bugreports: #104293


A flaw in phpLDAPadmin may allow attackers to bypass security restrictions and connect anonymously.

2.  Impact Information


phpLDAPadmin is a web-based LDAP client allowing to easily manage LDAP servers.


Alexander Gerasiov discovered a flaw in login.php preventing the application from validating whether anonymous bind has been disabled in the target LDAP server configuration.


Anonymous users can access the LDAP server, even if the "disable_anon_bind" parameter was explicitly set to avoid this.

3.  Resolution Information


There is no known workaround at this time.


All phpLDAPadmin users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nds/phpldapadmin-0.9.7_alpha6"

4.  References


Page updated September 06, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.