[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] 389-ds DoS due to improper handling of ger attr searches (CVE-2013-4485)
From: Vincent Danen <vdanen () redhat ! com>
Date: 2013-11-21 15:15:07
Message-ID: 20131121151507.GP2523 () redhat ! com
[Download RAW message or body]
A flaw in how 389-ds-base and Red Hat Directory Server handled the
checking of access rights on entries using GER (Get Effective Rights), a
way to extend directory searches to also display what access rights a
user has to a specified entry. When an attribute list is given in the
search request, and if there are several attributes whose names contain
the '@' character, 389-ds-base and Red Hat Directory Server would crash.
An attacker able to contact the server would be able to submit this type
of search request with no authentication required.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4485
(Obviously no CVE is required, posting here as this was previously sent
to the distros@ mailing list)
--
Vincent Danen / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic