oss-sec mailing list archives
Re: CVE request: MantisBT Null byte poisoning in LDAP authentication
From: cve-assign () mitre org
Date: Fri, 12 Sep 2014 14:36:35 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://github.com/mantisbt/mantisbt/commit/fc02c46eea9d9e7cc472a7fc1801ea65d467db76 http://www.mantisbt.org/bugs/view.php?id=17640 a Null byte poisoning issue with LDAP authentication affecting MantisBT <= 1.2.17. A malicious user can exploit this vulnerability to login as any registered user and without knowing their password, to systems relying on LDAP for user authentication (e.g. Active Directory or OpenLDAP with "allow bind_anon_cred").
Use CVE-2014-6387. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUEzyiAAoJEKllVAevmvmsq80H/3AsQrTt9Tdjz2aJGA/zfzxG oDelDHm1OOVJcDMVmvxcYC7uRbS/Gk+MpsDD7p5rQ0ACgYU7n0Z5F3I6xXYFc3rl utYQmBKqKAiOvSf5qNMSVnqxH5E4gXuhMbMiho5AvD9XgTyKc1Wuulq/gSjdrMZ8 b4uYIhNzmTAcrpofbEovCUm/t+16vQIRR7U/bdUAOrt8n8+7OH1JxEPUzih2CSZL qyL9yi9qD+0IviDD/QwqDOBkv/sP8BIGdZeHo50hlZENZpBbC5ZAoEHW0ZYJRUfW ZucqYEwcj5uYoue7PGoM8LrPj8cpa9KUAUNYakf2snq/WUAGoU54+9ExwT5ww2s= =P710 -----END PGP SIGNATURE-----
Current thread:
- CVE request: MantisBT Null byte poisoning in LDAP authentication Damien Regad (Sep 12)
- Re: CVE request: MantisBT Null byte poisoning in LDAP authentication cve-assign (Sep 12)
- Re: CVE request: MantisBT Null byte poisoning in LDAP authentication Damien Regad (Sep 13)
- Re: CVE request: MantisBT Null byte poisoning in LDAP authentication cve-assign (Sep 12)