PhpWiki: Authentication bypass — GLSA 200709-10

A vulnerability has been discovered in PhpWiki authentication mechanism.

Affected packages

www-apps/phpwiki on all architectures
Affected versions < 1.3.14
Unaffected versions >= 1.3.14

Background

PhpWiki is an application that creates a web site where anyone can edit the pages through HTML forms.

Description

The PhpWiki development team reported an authentication error within the file lib/WikiUser/LDAP.php when binding to an LDAP server with an empty password.

Impact

A remote attacker could provide an empty password when authenticating. Depending on the LDAP implementation used, this could bypass the PhpWiki authentication mechanism and grant the attacker access to the application.

Workaround

There is no known workaround at this time.

Resolution

All PhpWiki users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/phpwiki-1.3.14"

References

Release date
September 18, 2007

Latest revision
September 18, 2007: 01

Severity
low

Exploitable
remote

Bugzilla entries