[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kolab-users
Subject:    Re: [OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab)
From:       Thomas Lotterer <thl () dev ! de ! cw ! com>
Date:       2004-05-06 9:56:10
Message-ID: 20040506095610.GB78746 () dev ! de ! cw ! com
[Download RAW message or body]

On Wed, May 05, 2004, Jon Bendtsen wrote:

Jon,

> I dont understand how serious this is. Can an remote attacker gain
> access?
> 
an attacker must be able to read your local slapd.conf first. It
contains information which would allow him to connect to OpenLDAP to
view and even modify and delete information.

Such operations can be done remotely if sldap listens to an public
interface and TCP port 389 (LDAP) or TCP port 636 (LDAPS) are
accessible. In theory, things can be worse if a host uses the same
Directory for Unix shell authorization (i.e. via PAM LDAP module) ...

--
Thomas.Lotterer@cw.com, Cable & Wireless


[prev in list] [next in list] [prev in thread] [next in thread]