First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 181692
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Lars Hartmann <lars@chaotika.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 181692 depends on: Show dependency tree
Bug 181692 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-06-11 20:41 0000 
A vulnerability has been reported in PhpWiki, which can be exploited by
malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within lib/WikiUser/LDAP.php when
binding to an LDAP server with an empty password. Depending on the LDAP
implementation used, this can be exploited to bypass the authentication
mechanism.

The vulnerability is reported in versions prior to 1.3.13p1.

Solution:
Update to version 1.3.13p1.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=514820

http://sourceforge.net/tracker/index....882&group_id=6121&atid=106121



Please note: The information that this Secunia Advisory is based on comes from
a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by
security research groups, vendors, and others.

Reproducible: Always

------- Comment #1 From Lars Hartmann 2007-06-12 07:41:31 0000 ------- 
maintainers - please advice and bump as necessary

------- Comment #2 From Lars Hartmann 2007-06-19 16:55:49 0000 ------- 
maintainers - please advice

------- Comment #3 From Lars Hartmann 2007-07-02 18:41:50 0000 ------- 
maintainers - please advice

------- Comment #4 From Lars Hartmann 2007-07-14 12:23:46 0000 ------- 
maintainers - please advice

------- Comment #5 From Pierre-Yves Rofes 2007-07-19 08:18:11 0000 ------- 
web-apps, there's version 1.3.13_rc1 in the tree, is it the same as upstream
version 1.3.13p1? And if not, does it still fix this issue?

------- Comment #6 From Gunnar Wrobel 2007-08-09 10:09:32 0000 ------- 
Sorry for the delay again. I checked in 1.3.13_rc1 and removed the problematic
UpLoad.php. So 1.3.13_r1 should be without the issue.

Today I also checked in 1.3.14 and verified that the code in UpLoad.php has
been fixed. 

My preference would be to stabilize 1.3.14 and remove all older ebuild.

------- Comment #7 From Gunnar Wrobel 2007-08-09 10:20:55 0000 ------- 
Well, i confused this with bug #174451. But the security issue mentioned here
has also been fixed in 1.3.14.

------- Comment #8 From Pierre-Yves Rofes 2007-08-09 11:14:16 0000 ------- 
Thanks Gunnar. fixing severity since some arches were stable.
Arches (or should I say ppc :) please test and mark stable
www-apps/phpwiki-1.3.14. Target keywords are: "ppc ~sparc ~x86 ~amd64"

------- Comment #9 From Tobias Scherbaum 2007-08-14 18:14:43 0000 ------- 
ppc stable, ready for glsa voting.

------- Comment #10 From Pierre-Yves Rofes 2007-08-14 18:51:46 0000 ------- 
I tend to vote YES.

------- Comment #11 From Matt Fleming (RETIRED) 2007-08-14 19:55:35 0000 ------- 
I vote YES

------- Comment #12 From Sune Kloppenborg Jeppesen 2007-08-14 20:02:14 0000 ------- 
I tend to vote NO.

------- Comment #13 From Gunnar Wrobel 2007-09-04 13:01:05 0000 ------- 
web-apps no longer needed here :)

------- Comment #14 From Matt Drew 2007-09-04 23:34:12 0000 ------- 
I'll vote yes - adding request.

------- Comment #15 From Matt Drew 2007-09-04 23:42:14 0000 ------- 
CVE-2007-3193

------- Comment #16 From Raphael Marichez 2007-09-18 21:40:26 0000 ------- 
it's GLSA 200709-10, sorry for the delay.
First Last Prev Next    No search results available      Search page      Enter new bug