Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 334351 (CVE-2010-2944) - <net-zope/ldapuserfolder-2.20 authentication bypass (CVE-2010-2944)
Summary: <net-zope/ldapuserfolder-2.20 authentication bypass (CVE-2010-2944)
Alias: CVE-2010-2944
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2010-08-24 21:03 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-05-05 15:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-24 21:03:08 UTC
A vulnerability has been discovered in the LDAPUserFolder product for Zope, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within the "authenticate()" function in Products/LDAPUserFolder/, which does not properly verify the password provided for the emergency user. This can be exploited to gain access to certain pages of the LDAPUserFolder product by providing an arbitrary password.

The vulnerability is confirmed in version 2.18. Other versions may also be affected.

Please note that an ancient version of this package (2.4) is marked stable on x86.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 23:14:01 UTC
@net-zope, thoughts? 

I could not find a fixed version from the upstream, but there appears to be a one-line fix in the debian bug
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-05-05 15:42:23 UTC
Vulnerable ebuilds have been removed from the tree.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-05-05 15:54:30 UTC
Please don't close security bugs.

Fixed in 2.20 according to