Lucene search

Gentoo FoundationGLSA-200709-10

HistorySep 18, 2007 - 12:00 a.m.

PhpWiki: Authentication bypass

2007-09-1800:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.033

Percentile

91.5%

JSON

Background

PhpWiki is an application that creates a web site where anyone can edit the pages through HTML forms.

Description

The PhpWiki development team reported an authentication error within the file lib/WikiUser/LDAP.php when binding to an LDAP server with an empty password.

Impact

A remote attacker could provide an empty password when authenticating. Depending on the LDAP implementation used, this could bypass the PhpWiki authentication mechanism and grant the attacker access to the application.

Workaround

There is no known workaround at this time.

Resolution

All PhpWiki users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=www-apps/phpwiki-1.3.14"

OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-apps/phpwiki< 1.3.14UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	www-apps/phpwiki	< 1.3.14	UNKNOWN

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.033

Percentile

91.5%

JSON

Related for GLSA-200709-10