A vulnerability has been reported in PhpWiki, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within lib/WikiUser/LDAP.php when binding to an LDAP server with an empty password. Depending on the LDAP implementation used, this can be exploited to bypass the authentication mechanism. The vulnerability is reported in versions prior to 1.3.13p1. Solution: Update to version 1.3.13p1. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://sourceforge.net/project/shownotes.php?release_id=514820 http://sourceforge.net/tracker/index....882&group_id=6121&atid=106121 Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. Reproducible: Always
maintainers - please advice and bump as necessary
maintainers - please advice
web-apps, there's version 1.3.13_rc1 in the tree, is it the same as upstream version 1.3.13p1? And if not, does it still fix this issue?
Sorry for the delay again. I checked in 1.3.13_rc1 and removed the problematic UpLoad.php. So 1.3.13_r1 should be without the issue. Today I also checked in 1.3.14 and verified that the code in UpLoad.php has been fixed. My preference would be to stabilize 1.3.14 and remove all older ebuild.
Well, i confused this with bug #174451. But the security issue mentioned here has also been fixed in 1.3.14.
Thanks Gunnar. fixing severity since some arches were stable. Arches (or should I say ppc :) please test and mark stable www-apps/phpwiki-1.3.14. Target keywords are: "ppc ~sparc ~x86 ~amd64"
ppc stable, ready for glsa voting.
I tend to vote YES.
I vote YES
I tend to vote NO.
web-apps no longer needed here :)
I'll vote yes - adding request.
CVE-2007-3193
it's GLSA 200709-10, sorry for the delay.
