Date: Thu, 17 Apr 2008 17:06:52 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: Matthias Geerdsen <vorlon@...too.org> cc: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: DBMail <2.2.9 ====================================================== Name: CVE-2007-6714 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6714 Reference: MLIST:[Dbmail-dev] 20071216 [DBMail 0000662]: Ability to bypass authentication. Reference: URL:http://firstname.lastname@example.org/msg09942.html Reference: CONFIRM:http://dbmail.org/index.php?page=news&id=44 DBMail before 2.2.9, when using authldap with an LDAP server that supports anonymous login such as Active Directory, allows remote attackers to bypass authentication via an empty password, which causes the LDAP bind to indicate success based on anonymous authentication.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.