oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords

From: cve-assign () mitre org
Date: Fri, 13 Jun 2014 22:31:19 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


From: Matthew Daley <mattd () bugfuzz com>
Date: Mon, 9 Jun 2014 21:03:15 +1200



If either of these arguments is empty() (as in, the PHP standard
library function empty()), the LDAP bind user DN or password from
Horde configuration is passed to ldap_bind instead. ... The issue is
that empty() returns true not just for null values but also - amongst
other things - for empty strings. Hence, a user can simply provide an
empty password




https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd
https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55


Use CVE-2014-3999.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTm7OgAAoJEKllVAevmvmssNYIAJt3DBazJ1nrIA5IcnknAUB/
YFQnObBFxB4TNYklhign83+PbedbY6zZ3NxiHa0+mHwDmfKVhQkLjr+5iKcBbEUv
rqe96qE5uih4HnXgVMCQdEDlP3kqqkHh4oMOFsPOVRaVcHVmlLZ4LYy3CP6BLWnM
9o/Fr3wildChCoLlvSeX33dZOie/bmCjLJHLept++qBsoeZfIVII7DsJI1O1EOcL
hJr2XKMH1qQvj8PhRi2p58D2XDzokqLUPhw/9Iyyng6I0fAwLKaPGh6pziXQ9Cn9
7GnjM07trieN+om3mlgQq+qNHNPhVYNsJmbI+eOqLHavp0SHnG2BVu8zbT4itkY=
=DhHf
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: