[announce] SECURITY: authentication bypass in Horde_Ldap
Jan Schneider
jan at horde.org
Tue Jun 3 09:06:44 UTC 2014
Hello,
an authentication bypass vulnerability has been discovered in the
Horde_Ldap library that's being used by all components of the Horde
project that communicate with LDAP servers.
A fixed version has been released and everybody using LDAP in their
Horde installations is advised to upgrade to Horde_Ldap 2.0.6 as soon
as possible.
So far only certain setups have been confirmed to be exploitable: The
system must use LDAP for authentication, an LDAP user must have been
specified for binding (as opposed to anonymous binding), that LDAP
user must have the same parent DN like the system users, and the
attacker must guess the binding user's name. In this case the attacker
can login with the guessed name and an empty password. Whether this
actually allows for further access to data or to the system,
completely depends on the individual setup. It's possible that other
mitigation factors exist though, that haven't been discovered yet.
Thanks to Matthew Daley for detecting and reporting this vulnerability.
--
Jan Schneider
The Horde Project
http://www.horde.org/
https://www.facebook.com/hordeproject
More information about the announce
mailing list