[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 79-1] dokuwiki security update



Package        : dokuwiki
Version        : 0.0.20091225c-10+squeeze3
CVE ID         : CVE-2014-8763 CVE-2014-8764
Debian Bug     : 766545

This fixes a possibility of bypasswing the wiki authentication when an Active
Directory is used for LDAP authentication. These two CVE are almost the same,
one apparently being a superset of the other. They are fixed together.

CVE-2014-8763

    DokuWiki before 2014-05-05b, when using Active Directory for LDAP
    authentication, allows remote attackers to bypass authentication via a
    password starting with a null (\0) character and a valid user name, which
    triggers an unauthenticated bind.

CVE-2014-8764

    DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
    authentication, allows remote attackers to bypass authentication via a
    user name and password starting with a null (\0) character, which triggers
    an anonymous bind.

--
 ,--.
: /` )   ن Tanguy Ortolo    <xmpp:tanguy@ortolo.eu>
| `-'    Debian Developer   <irc://irc.oftc.net/Tanguy>
 \_

Attachment: signature.asc
Description: Digital signature


Reply to: