oss-sec mailing list archives
Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords
From: cve-assign () mitre org
Date: Fri, 13 Jun 2014 22:31:19 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
From: Matthew Daley <mattd () bugfuzz com> Date: Mon, 9 Jun 2014 21:03:15 +1200
If either of these arguments is empty() (as in, the PHP standard library function empty()), the LDAP bind user DN or password from Horde configuration is passed to ldap_bind instead. ... The issue is that empty() returns true not just for null values but also - amongst other things - for empty strings. Hence, a user can simply provide an empty password
https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55
Use CVE-2014-3999. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTm7OgAAoJEKllVAevmvmssNYIAJt3DBazJ1nrIA5IcnknAUB/ YFQnObBFxB4TNYklhign83+PbedbY6zZ3NxiHa0+mHwDmfKVhQkLjr+5iKcBbEUv rqe96qE5uih4HnXgVMCQdEDlP3kqqkHh4oMOFsPOVRaVcHVmlLZ4LYy3CP6BLWnM 9o/Fr3wildChCoLlvSeX33dZOie/bmCjLJHLept++qBsoeZfIVII7DsJI1O1EOcL hJr2XKMH1qQvj8PhRi2p58D2XDzokqLUPhw/9Iyyng6I0fAwLKaPGh6pziXQ9Cn9 7GnjM07trieN+om3mlgQq+qNHNPhVYNsJmbI+eOqLHavp0SHnG2BVu8zbT4itkY= =DhHf -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Salvatore Bonaccorso (Jun 04)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Murray McAllister (Jun 04)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Matthew Daley (Jun 09)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords cve-assign (Jun 13)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Murray McAllister (Jun 04)