CVE-2007-6714 Information
Description
DBMail before 2.2.9 when using authldap with an LDAP server that supports anonymous login such as Active Directory allows remote attackers to bypass authentication via an empty password which causes the LDAP bind to indicate success based on anonymous authentication.
Reference
http://dbmail.org/index.php?page=news&id=44 http://osvdb.org/44561 http://secunia.com/advisories/29903 http://secunia.com/advisories/29937 http://secunia.com/advisories/29984 http://www.gentoo.org/security/en/glsa/glsa-200804-24.xml http://www.mail-archive.com/dbmail-dev@dbmail.org/msg09942.html http://www.securityfocus.com/bid/28849 http://www.securitytracker.com/id?1019914 http://www.vupen.com/english/advisories/2008/1321/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41907 https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00549.html https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00585.html
Share on: