Package: zope-ldapuserfolder
Version: 2.9-1
Severity: grave
Tags: security
Justification: user security hole
When an LDAP user folder is enabled, any password is accepted when attempting
to log in
as the emergency user (that is, the one defined in the 'access' file using
zpasswd.py).
/usr/share/zope/Products/LDAPUserFolder/LDAPUserFolder.py fails to check the
password is
correct, leading to the above security issue. Patch should be:
--- LDAPUserFolder.py.orig 2010-08-18 12:58:18.000000000 +0100
+++ LDAPUserFolder.py.fixed 2010-08-18 13:50:22.000000000 +0100
@@ -800,7 +800,7 @@
if not name:
return None
- if super and name == super.getUserName():
+ if super and name == super.getUserName() and
super.authenticate(password, request):
user = super
else:
user = self.getUser(name, password)
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages zope-ldapuserfolder depends on:
ii python-ldap 2.3.5-1 An LDAP interface module for Pytho
ii zope-common 0.5.45 common settings and scripts for Zo
ii zope2.9 2.9.6-4etch2 Open Source Web Application Server
zope-ldapuserfolder recommends no packages.
zope-ldapuserfolder suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
