Vulnonym.org

CVE-2007-6714 - Giddying Thousand

Description

DBMail before 2.2.9 when using authldap with an LDAP server that supports anonymous login such as Active Directory allows remote attackers to bypass authentication via an empty password which causes the LDAP bind to indicate success based on anonymous authentication.

Reference

http://www.mail-archive.com/dbmail-dev@dbmail.org/msg09942.html http://dbmail.org/index.php?page=news&id=44 http://www.securityfocus.com/bid/28849 http://www.gentoo.org/security/en/glsa/glsa-200804-24.xml http://www.securitytracker.com/id?1019914 http://secunia.com/advisories/29903 http://secunia.com/advisories/29937 https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00549.html https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00585.html http://secunia.com/advisories/29984 http://osvdb.org/44561 http://www.vupen.com/english/advisories/2008/1321/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41907