oss-sec mailing list archives

Re: CVE request: DBMail <2.2.9

From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 17 Apr 2008 17:06:52 -0400 (EDT)


======================================================
Name: CVE-2007-6714
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6714
Reference: MLIST:[Dbmail-dev] 20071216 [DBMail 0000662]: Ability to bypass authentication.
Reference: URL:http://www.mail-archive.com/dbmail-dev () dbmail org/msg09942.html
Reference: CONFIRM:http://dbmail.org/index.php?page=news&id=44

DBMail before 2.2.9, when using authldap with an LDAP server that
supports anonymous login such as Active Directory, allows remote
attackers to bypass authentication via an empty password, which causes
the LDAP bind to indicate success based on anonymous authentication.

Current thread:

CVE request: DBMail <2.2.9 Matthias Geerdsen (Apr 17)
- Re: CVE request: DBMail <2.2.9 Steven M. Christey (Apr 17)