Joined: 12 May 2004
|Posted: Tue Sep 06, 2005 1:52 pm Post subject: [ GLSA 200509-04 ] phpLDAPadmin: Authentication bypass
|Gentoo Linux Security Advisory
Title: phpLDAPadmin: Authentication bypass (GLSA 200509-04)
Date: September 06, 2005
A flaw in phpLDAPadmin may allow attackers to bypass security restrictions
and connect anonymously.
phpLDAPadmin is a web-based LDAP client allowing to easily manage
Vulnerable: < 0.9.7_alpha6
Unaffected: >= 0.9.7_alpha6
Architectures: All supported architectures
Alexander Gerasiov discovered a flaw in login.php preventing the
application from validating whether anonymous bind has been disabled in
the target LDAP server configuration.
Anonymous users can access the LDAP server, even if the
"disable_anon_bind" parameter was explicitly set to avoid this.
There is no known workaround at this time.
All phpLDAPadmin users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nds/phpldapadmin-0.9.7_alpha6"
Secunia Advisory SA16611
Last edited by GLSA on Fri Jan 20, 2012 4:20 am; edited 5 times in total