Vulnerabilities > CVE-2005-2654 - Unspecified vulnerability in PHPldapadmin Project PHPldapadmin
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN phpldapadmin-project
nessus
Summary
phpldapadmin before 0.9.6c allows remote attackers to gain anonymous access to the LDAP server, even when disable_anon_bind is set, via an HTTP request to login.php with the anonymous_bind parameter set.
Vulnerable Configurations
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200509-04.NASL description The remote host is affected by the vulnerability described in GLSA-200509-04 (phpLDAPadmin: Authentication bypass) Alexander Gerasiov discovered a flaw in login.php preventing the application from validating whether anonymous bind has been disabled in the target LDAP server configuration. Impact : Anonymous users can access the LDAP server, even if the last seen 2020-06-01 modified 2020-06-02 plugin id 19669 published 2005-09-12 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19669 title GLSA-200509-04 : phpLDAPadmin: Authentication bypass code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200509-04. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(19669); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-2654"); script_xref(name:"GLSA", value:"200509-04"); script_name(english:"GLSA-200509-04 : phpLDAPadmin: Authentication bypass"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200509-04 (phpLDAPadmin: Authentication bypass) Alexander Gerasiov discovered a flaw in login.php preventing the application from validating whether anonymous bind has been disabled in the target LDAP server configuration. Impact : Anonymous users can access the LDAP server, even if the 'disable_anon_bind' parameter was explicitly set to avoid this. Workaround : There is no known workaround at this time." ); # http://secunia.com/advisories/16611/ script_set_attribute( attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/advisories/16611/" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200509-04" ); script_set_attribute( attribute:"solution", value: "All phpLDAPadmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-nds/phpldapadmin-0.9.7_alpha6'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpldapadmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-nds/phpldapadmin", unaffected:make_list("ge 0.9.7_alpha6"), vulnerable:make_list("lt 0.9.7_alpha6"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpLDAPadmin"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-790.NASL description Alexander Gerasiov discovered that phpldapadmin, a web-based interface for administering LDAP servers, allows anybody to access the LDAP server anonymously, even if this is disabled in the configuration with the last seen 2020-06-01 modified 2020-06-02 plugin id 19560 published 2005-09-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19560 title Debian DSA-790-1 : phpldapadmin - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-790. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19560); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-2654"); script_xref(name:"DSA", value:"790"); script_name(english:"Debian DSA-790-1 : phpldapadmin - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Alexander Gerasiov discovered that phpldapadmin, a web-based interface for administering LDAP servers, allows anybody to access the LDAP server anonymously, even if this is disabled in the configuration with the 'disable_anon_bind' statement. The old stable distribution (woody) is not vulnerable to this problem." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322423" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-790" ); script_set_attribute( attribute:"solution", value: "Upgrade the phpldapadmin package. For the stable distribution (sarge) this problem has been fixed in version 0.9.5-3sarge2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpldapadmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/08/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/06"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"phpldapadmin", reference:"0.9.5-3sarge2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id PHPLDAPADMIN_DISABLE_ANON_BIND_BYPASS.NASL description The remote host is running phpLDAPadmin, a PHP-based LDAP browser. The version of phpLDAPadmin installed on the remote host may allow access to an LDAP server anonymously, even if anonymous binds have been disabled in the application last seen 2020-06-01 modified 2020-06-02 plugin id 19546 published 2005-08-31 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19546 title phpLDAPadmin Anonymous Bind Security Bypass Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(19546); script_version("1.17"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_cve_id("CVE-2005-2654"); script_bugtraq_id(14694); script_name(english:"phpLDAPadmin Anonymous Bind Security Bypass Vulnerability"); script_summary(english:"Checks for anonymous bind security bypass vulnerability in phpLDAPadmin"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an authentication bypass issue."); script_set_attribute(attribute:"description", value: "The remote host is running phpLDAPadmin, a PHP-based LDAP browser. The version of phpLDAPadmin installed on the remote host may allow access to an LDAP server anonymously, even if anonymous binds have been disabled in the application's configuration."); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322423"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4e9c6bc8"); script_set_attribute(attribute:"solution", value: "Upgrade to phpLDAPadmin 0.9.7-rc1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/31"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/30"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:deon_george:phpldapadmin"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Loop through CGI directories. foreach dir (cgi_dirs()) { r = http_send_recv3(method:"GET",item:string(dir, "/tree.php"), port:port); if (isnull(r)) exit(0); res = r[2]; # Get the software version if possible. pat = 'class="subtitle".*>phpLDAPadmin - (.+)$'; matches = egrep(string:res, pattern:pat); if (matches) { foreach match (split(matches)) { match = chomp(match); ver = eregmatch(pattern:pat, string:match); if (!isnull(ver)) { ver = ver[1]; break; } } } # Iterate over each configured ldap server and try to exploit the flaw. server_list = res; while (server_list = strstr(server_list, '<tr class="server">')) { server_list = strstr(server_list, '<a href="login_form.php?server_id='); server = server_list - '<a href="login_form.php?server_id='; server = server - strstr(server, '"'); # Look for an "anonymous bind" checkbox in the login form. r = http_send_recv3(method:"GET", item:string(dir, "/login_form.php?server_id=", server), port:port); if (isnull(r)) exit(0); res = r[2]; # If ... if ( # it looks like like phpLDAPadmin and ... '<form action="login.php" method="post" name="login_form">' >< res && '<input type="text" name="login_dn"' >< res && # it doesn't have the "anonymous bind" checkbox. 'type="checkbox" name="anonymous_bind"' >!< res ) { # Try to exploit the flaw. postdata = string( "server_id=", server, "&", "anonymous_bind=on" ); r = http_send_recv3(method: "POST", item: dir+"/login.php", port: port, content_type: "application/x-www-form-urlencoded", data: postdata ); if (isnull(r)) exit(0); res = r[2]; # There's a problem if we could do an anonymous bind. if ( "Successfully logged into server" >< res && "(Anonymous Bind)" >< res ) { security_warning(port); exit(0); } } } # Check the version since the exploit won't works if the # LDAP servers don't actually allow anonymous binds. if (ver && ver =~ "^0\.9\.([0-5]|6($|[ab]|c($|-[0-4])))") { report = string( "Note that Nessus has determined the vulnerability exists on the remote\n", "host simply by looking at the version number of phpLDAPadmin installed\n", "there.\n" ); security_warning(port:port, extra: report); exit(0); } }
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322423
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322423
- http://www.debian.org/security/2005/dsa-790
- http://www.debian.org/security/2005/dsa-790
- http://www.gentoo.org/security/en/glsa/glsa-200509-04.xml
- http://www.gentoo.org/security/en/glsa/glsa-200509-04.xml