Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 13 Jun 2014 22:31:19 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: Matthew Daley <mattd@...fuzz.com>
> Date: Mon, 9 Jun 2014 21:03:15 +1200

> If either of these arguments is empty() (as in, the PHP standard
> library function empty()), the LDAP bind user DN or password from
> Horde configuration is passed to ldap_bind instead. ... The issue is
> that empty() returns true not just for null values but also - amongst
> other things - for empty strings. Hence, a user can simply provide an
> empty password


> https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd
> https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55

Use CVE-2014-3999.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTm7OgAAoJEKllVAevmvmssNYIAJt3DBazJ1nrIA5IcnknAUB/
YFQnObBFxB4TNYklhign83+PbedbY6zZ3NxiHa0+mHwDmfKVhQkLjr+5iKcBbEUv
rqe96qE5uih4HnXgVMCQdEDlP3kqqkHh4oMOFsPOVRaVcHVmlLZ4LYy3CP6BLWnM
9o/Fr3wildChCoLlvSeX33dZOie/bmCjLJHLept++qBsoeZfIVII7DsJI1O1EOcL
hJr2XKMH1qQvj8PhRi2p58D2XDzokqLUPhw/9Iyyng6I0fAwLKaPGh6pziXQ9Cn9
7GnjM07trieN+om3mlgQq+qNHNPhVYNsJmbI+eOqLHavp0SHnG2BVu8zbT4itkY=
=DhHf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ