Horde Ldap Stricter parameter check in bind() to detect empty passwords
CVE
Category
Price
Severity
N/A
CWE-20
N/A
Medium
Author
Risk
Exploitation Type
Date
Exploit Alert Team
Medium
Remote
2014-06-05
CPE
cpe:cpe:2.3:a:horde:horde_webmail:*:*:*:*:*:*:*:*
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014060033 Below is a copy:Horde_Ldap released an update fixing a security issue mentioned in the
changes:
[jan] SECURITY: Stricter parameter check in bind() to detect empty
passwords.
https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd
fixed in 2.0.6 with commit:
https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55
framework/Ldap/lib/Horde/Ldap.php
@@ -206,10 +206,10 @@ protected function setConfig($config)
public function bind($dn = null, $password = null)
{
/* Fetch current bind credentials. */
- if (empty($dn)) {
+ if (is_null($dn)) {
$dn = $this->_config['binddn'];
}
- if (empty($password)) {
+ if (is_null($password)) {
$password = $this->_config['bindpw'];
}
framework/Ldap/package.xml
@@ -28,7 +28,7 @@
</stability>
<license uri="http://opensource.org/licenses/lgpl-3.0.html">LGPL-3.0</license>
<notes>
-*
+* [jan] SECURITY: Stricter parameter check in bind() to detect empty passwords.
</notes>
<contents>
<dir baseinstalldir="/" name="/">
@@ -430,7 +430,7 @@
<date>2014-05-21</date>
<license uri="http://opensource.org/licenses/lgpl-3.0.html">LGPL-3.0</license>
<notes>
-*
+* [jan] SECURITY: Stricter parameter check in bind() to detect empty passwords.
</notes>
</release>
</changelog>
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum