phpLDAPadmin: Authentication bypass — GLSA 200509-04

A flaw in phpLDAPadmin may allow attackers to bypass security restrictions and connect anonymously.

Affected packages

net-nds/phpldapadmin on all architectures
Affected versions < 0.9.7_alpha6
Unaffected versions >= 0.9.7_alpha6

Background

phpLDAPadmin is a web-based LDAP client allowing to easily manage LDAP servers.

Description

Alexander Gerasiov discovered a flaw in login.php preventing the application from validating whether anonymous bind has been disabled in the target LDAP server configuration.

Impact

Anonymous users can access the LDAP server, even if the "disable_anon_bind" parameter was explicitly set to avoid this.

Workaround

There is no known workaround at this time.

Resolution

All phpLDAPadmin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-nds/phpldapadmin-0.9.7_alpha6"

References

Release date
September 06, 2005

Latest revision
September 06, 2005: 01

Severity
low

Exploitable
remote

Bugzilla entries