oss-sec mailing list archives
389-ds DoS due to improper handling of ger attr searches (CVE-2013-4485)
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 21 Nov 2013 08:15:07 -0700
A flaw in how 389-ds-base and Red Hat Directory Server handled the checking of access rights on entries using GER (Get Effective Rights), a way to extend directory searches to also display what access rights a user has to a specified entry. When an attribute list is given in the search request, and if there are several attributes whose names contain the '@' character, 389-ds-base and Red Hat Directory Server would crash. An attacker able to contact the server would be able to submit this type of search request with no authentication required. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4485 (Obviously no CVE is required, posting here as this was previously sent to the distros@ mailing list) --Vincent Danen / Red Hat Security Response Team
Current thread:
- 389-ds DoS due to improper handling of ger attr searches (CVE-2013-4485) Vincent Danen (Nov 21)