'[oss-security] Re: CVE request: DBMail <2.2.9'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: DBMail <2.2.9
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2008-04-17 21:06:52
Message-ID: Pine.GSO.4.51.0804171706480.3756 () faron ! mitre ! org
[Download RAW message or body]


======================================================
Name: CVE-2007-6714
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6714
Reference: MLIST:[Dbmail-dev] 20071216 [DBMail 0000662]: Ability to bypass authentication.
Reference: URL:http://www.mail-archive.com/dbmail-dev@dbmail.org/msg09942.html
Reference: CONFIRM:http://dbmail.org/index.php?page=news&id=44

DBMail before 2.2.9, when using authldap with an LDAP server that
supports anonymous login such as Active Directory, allows remote
attackers to bypass authentication via an empty password, which causes
the LDAP bind to indicate success based on anonymous authentication.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic