[horde] SECURITY: authentication bypass in Horde_Ldap
jan at horde.org
Tue Jun 3 09:06:44 UTC 2014
an authentication bypass vulnerability has been discovered in the
Horde_Ldap library that's being used by all components of the Horde
project that communicate with LDAP servers.
A fixed version has been released and everybody using LDAP in their
Horde installations is advised to upgrade to Horde_Ldap 2.0.6 as soon
So far only certain setups have been confirmed to be exploitable: The
system must use LDAP for authentication, an LDAP user must have been
specified for binding (as opposed to anonymous binding), that LDAP
user must have the same parent DN like the system users, and the
attacker must guess the binding user's name. In this case the attacker
can login with the guessed name and an empty password. Whether this
actually allows for further access to data or to the system,
completely depends on the individual setup. It's possible that other
mitigation factors exist though, that haven't been discovered yet.
Thanks to Matthew Daley for detecting and reporting this vulnerability.
The Horde Project
More information about the horde