Advertisement






Horde Ldap Stricter parameter check in bind() to detect empty passwords

CVE Category Price Severity
N/A CWE-20 N/A Medium
Author Risk Exploitation Type Date
Exploit Alert Team Medium Remote 2014-06-05
CPE
cpe:cpe:2.3:a:horde:horde_webmail:*:*:*:*:*:*:*:*
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014060033

Below is a copy:

Horde_Ldap released an update fixing a security issue mentioned in the
changes:

    [jan] SECURITY: Stricter parameter check in bind() to detect empty
    passwords.


https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd

fixed in 2.0.6 with commit:

https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55


framework/Ldap/lib/Horde/Ldap.php
@@ -206,10 +206,10 @@ protected function setConfig($config)

     public function bind($dn = null, $password = null)
     {
         /* Fetch current bind credentials. */
-        if (empty($dn)) {
+        if (is_null($dn)) {
             $dn = $this->_config['binddn'];
         }

-        if (empty($password)) {
+        if (is_null($password)) {
             $password = $this->_config['bindpw'];
         }

 

framework/Ldap/package.xml
@@ -28,7 +28,7 @@

  </stability>
  <license uri="http://opensource.org/licenses/lgpl-3.0.html">LGPL-3.0</license>
  <notes>

-* 
+* [jan] SECURITY: Stricter parameter check in bind() to detect empty passwords.
  </notes>
  <contents>
   <dir baseinstalldir="/" name="/">

@@ -430,7 +430,7 @@
    <date>2014-05-21</date>
    <license uri="http://opensource.org/licenses/lgpl-3.0.html">LGPL-3.0</license>
    <notes>

-* 
+* [jan] SECURITY: Stricter parameter check in bind() to detect empty passwords.
    </notes>
   </release>
  </changelog>



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.