| VID |
21702 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of phpLDAPadmin which is older than version 0.9.6c-4 is detected as running on the host. phpLDAPadmin is a Web-based administration tool that allows users to manage Lightweight Directory Access Protocol (LDAP) servers. phpLDAPadmin version 0.9.6c and earlier versions could allow a remote attacker to bypass certain security restrictions and to access the LDAP server anonymously. The security issue is caused due to an error in login.php when validating whether anonymous bind has been disabled in the configuration. This can be exploited to access the LDAP server anonymously, even if anonymous bind has been disabled in the configuration with the "disable_anon_bind" statement.
* Note: This check solely relied on the version number of phpLDAPadmin installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://secunia.com/advisories/16611/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322423
* Platforms Affected:
SourceForge.net, phpLDAPadmin version 0.9.6c and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of phpLDAPadmin (0.9.7-alpha6 or later), available from the SourceForge.net Web site at http://sourceforge.net/projects/phpldapadmin
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of phpldapadmin (0.9.5-3sarge2 or later), as listed in Debian Security Advisory DSA-790-1 at http://www.debian.org/security/2005/dsa-790 |
| Related URL |
CVE-2005-2654 (CVE) |
| Related URL |
14694 (SecurityFocus) |
| Related URL |
22048 (ISS) |
|
