Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 334351 (CVE-2010-2944)

Summary: <net-zope/ldapuserfolder-2.20 authentication bypass (CVE-2010-2944)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-zope+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/41022
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-24 21:03:08 UTC 
A vulnerability has been discovered in the LDAPUserFolder product for Zope, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within the "authenticate()" function in Products/LDAPUserFolder/LDAPUserFolder.py, which does not properly verify the password provided for the emergency user. This can be exploited to gain access to certain pages of the LDAPUserFolder product by providing an arbitrary password.

The vulnerability is confirmed in version 2.18. Other versions may also be affected.

Please note that an ancient version of this package (2.4) is marked stable on x86.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 23:14:01 UTC 
@net-zope, thoughts? 

I could not find a fixed version from the upstream, but there appears to be a one-line fix in the debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593466.
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-05-05 15:42:23 UTC 
Vulnerable ebuilds have been removed from the tree.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-05-05 15:54:30 UTC 
Please don't close security bugs.

Fixed in 2.20 according to http://pypi.python.org/pypi/Products.LDAPUserFolder#id1.