Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 21 Sep 2015 12:56:55 +1000
From: David Black <>
Subject: Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to
 ldap injection.

On 19 September 2015 at 05:08, <> wrote:

> Hash: SHA256
> >
> >
> Use CVE-2015-7294.
> The existence of a fork does not, by itself, lead to use of multiple CVE
> IDs.
> The CVE ID is for the vulnerability in the shared codebase, regardless of
> the
> product names in which that codebase is used.
> has comments from the vendor about possible mitigating factors. Given
> those comments, is the most straightforward threat that the attacker
> may be able to arrange for a search result to be exactly one username,
> and may not know the complete username in advance but may know the
> password in advance?

That's one option. I was actually thinking that an attacker could also
exploit this issue to extract information from ldap - provided that the
attacker knows a working username and password combination then they should
be able craft ldap queries that only match their username if an additional
search condition is met.

David Black / Security Engineer.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ