blob: aa63a1052e2855cd4e19e19c4da2ef821fda8fb6 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200709-10">
<title>PhpWiki: Authentication bypass</title>
A vulnerability has been discovered in PhpWiki authentication mechanism.
<product type="ebuild">phpwiki</product>
<announced>September 18, 2007</announced>
<revised>September 18, 2007: 01</revised>
<package name="www-apps/phpwiki" auto="yes" arch="*">
<unaffected range="ge">1.3.14</unaffected>
<vulnerable range="lt">1.3.14</vulnerable>
PhpWiki is an application that creates a web site where anyone can edit
the pages through HTML forms.
The PhpWiki development team reported an authentication error within
the file lib/WikiUser/LDAP.php when binding to an LDAP server with an
empty password.
<impact type="low">
A remote attacker could provide an empty password when authenticating.
Depending on the LDAP implementation used, this could bypass the
PhpWiki authentication mechanism and grant the attacker access to the
There is no known workaround at this time.
All PhpWiki users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=www-apps/phpwiki-1.3.14&quot;</code>
<uri link="">CVE-2007-3193</uri>
<metadata tag="requester" timestamp="Tue, 04 Sep 2007 23:41:27 +0000">
<metadata tag="bugReady" timestamp="Sat, 08 Sep 2007 16:22:11 +0000">
<metadata tag="submitter" timestamp="Sat, 15 Sep 2007 20:54:32 +0000">