oss-security - Re: CVE request: DBMail <2.2.9

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Thu, 17 Apr 2008 17:06:52 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Matthias Geerdsen <vorlon@...too.org>
cc: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: DBMail <2.2.9

======================================================
Name: CVE-2007-6714
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6714
Reference: MLIST:[Dbmail-dev] 20071216 [DBMail 0000662]: Ability to bypass authentication.
Reference: URL:http://www.mail-archive.com/dbmail-dev@dbmail.org/msg09942.html
Reference: CONFIRM:http://dbmail.org/index.php?page=news&id=44

DBMail before 2.2.9, when using authldap with an LDAP server that
supports anonymous login such as Active Directory, allows remote
attackers to bypass authentication via an empty password, which causes
the LDAP bind to indicate success based on anonymous authentication.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.