First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 104293
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 104293 depends on: Show dependency tree
Bug 104293 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-08-30 12:34 0000 
Multiple issues ranging from XSS to remote script execution.

------- Comment #1 From Stefan Cornelius (RETIRED) 2005-08-30 20:13:31 0000 ------- 
Well, the advisory says "0.9.6 - 0.9.7/alpha5 (possibly prior versions)" are
vulnerable, so i'm not sure wether alpha5 is vulnerable or not - i can't access
the upstream bugs page and the changelog in the alpha5 tarball does not mention
0.9.7 yet. So if alpha5 is fixed, please provide an fixed ebuild and please also
check if 0.9.5 is vulnerable, because it's marked stable on x86. Thanks, I know
you guys are quite stressed lately with security stuff.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-08-31 02:37:00 0000 ------- 
FYI:

--------------------------------------------------------------------------
Debian Security Advisory DSA 790-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 30th, 2005                       http://www.debian.org/security/faq
--------------------------------------------------------------------------

Package        : phpldapadmin
Vulnerability  : programming error
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2654
Debian Bug     : 322423

Alexander Gerasiov discovered that phpldapadmin, a web based interface
for administering LDAP servers, allows anybody to access the LDAP
server anonymously, even if this is disabled in the configuration with
the "disable_anon_bind" statement.

------- Comment #3 From Stefan Cornelius (RETIRED) 2005-08-31 08:22:14 0000 ------- 
Rating back to B1, http://www.securityfocus.com/archive/1/409624/30/0/threaded
says there is also remote script code execution and file disclosure.

------- Comment #4 From Renat Lumpau 2005-08-31 09:30:56 0000 ------- 
See
http://sourceforge.net/mailarchive/forum.php?thread_id=8086622&forum_id=34809

> "Successful exploitation requires that "register_globals" is enabled."

> Both fixes are included in 0.9.7-alpha6 submitted to sf just now...

phpldapadmin-0.9.7_alpha6 in portage. I can't reproduce it on 0.9.5, but that
doesn't mean it's not there.

------- Comment #5 From Stefan Cornelius (RETIRED) 2005-08-31 10:13:58 0000 ------- 
Ready for GLSA. It's B1 so we are forced to write one, altough i hate doing so
because register_globals is just dumb etc ...

------- Comment #6 From Thierry Carrez (RETIRED) 2005-09-06 06:49:02 0000 ------- 
GLSA 200509-04

------- Comment #7 From Thierry Carrez (RETIRED) 2005-11-17 02:06:49 0000 ------- 
*** Bug 112766 has been marked as a duplicate of this bug. ***
First Last Prev Next    No search results available      Search page      Enter new bug