Horde Ldap Stricter parameter check in bind() to detect empty passwords

CVE	Category	Price	Severity
N/A	CWE-20	N/A	Medium

Author	Risk	Exploitation Type	Date
Exploit Alert Team	Medium	Remote	2014-06-05

CPE
cpe:cpe:2.3:a:horde:horde_webmail::::::::

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014060033

Below is a copy:

Horde_Ldap released an update fixing a security issue mentioned in the
changes:

    [jan] SECURITY: Stricter parameter check in bind() to detect empty
    passwords.


https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd

fixed in 2.0.6 with commit:

https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55


framework/Ldap/lib/Horde/Ldap.php
@@ -206,10 +206,10 @@ protected function setConfig($config)

     public function bind($dn = null, $password = null)
     {
         /* Fetch current bind credentials. */
-        if (empty($dn)) {
+        if (is_null($dn)) {
             $dn = $this->_config['binddn'];
         }

-        if (empty($password)) {
+        if (is_null($password)) {
             $password = $this->_config['bindpw'];
         }

 

framework/Ldap/package.xml
@@ -28,7 +28,7 @@

  </stability>
  <license uri="http://opensource.org/licenses/lgpl-3.0.html">LGPL-3.0</license>
  <notes>

-* 
+* [jan] SECURITY: Stricter parameter check in bind() to detect empty passwords.
  </notes>
  <contents>
   <dir baseinstalldir="/" name="/">

@@ -430,7 +430,7 @@
    <date>2014-05-21</date>
    <license uri="http://opensource.org/licenses/lgpl-3.0.html">LGPL-3.0</license>
    <notes>

-* 
+* [jan] SECURITY: Stricter parameter check in bind() to detect empty passwords.
    </notes>
   </release>
  </changelog>

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum