[announce] SECURITY: authentication bypass in Horde_Ldap

Jan Schneider jan at horde.org
Tue Jun 3 09:06:44 UTC 2014


an authentication bypass vulnerability has been discovered in the  
Horde_Ldap library that's being used by all components of the Horde  
project that communicate with LDAP servers.
A fixed version has been released and everybody using LDAP in their  
Horde installations is advised to upgrade to Horde_Ldap 2.0.6 as soon  
as possible.
So far only certain setups have been confirmed to be exploitable: The  
system must use LDAP for authentication, an LDAP user must have been  
specified for binding (as opposed to anonymous binding), that LDAP  
user must have the same parent DN like the system users, and the  
attacker must guess the binding user's name. In this case the attacker  
can login with the guessed name and an empty password. Whether this  
actually allows for further access to data or to the system,  
completely depends on the individual setup. It's possible that other  
mitigation factors exist though, that haven't been discovered yet.

Thanks to Matthew Daley for detecting and reporting this vulnerability.

Jan Schneider
The Horde Project

More information about the announce mailing list