Date: Fri, 12 Sep 2014 14:03:37 +0000 (UTC) From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: CVE request: MantisBT Null byte poisoning in LDAP authentication Greetings Matthew Daley reported a Null byte poisoning issue with LDAP authentication affecting MantisBT <= 1.2.17. A malicious user can exploit this vulnerability to login as any registered user and without knowing their password, to systems relying on LDAP for user authentication (e.g. Active Directory or OpenLDAP with "allow bind_anon_cred"). Patches are available in ; full details on the original issue report can be found at . Can you please assign a CVE ID to this issue ? Thank you D. Regad MantisBT Developer http://mantisbt.org/  http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master branch) http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x branch)  http://www.mantisbt.org/bugs/view.php?id=17640
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.