OSVDB ID: 9723

Title: Multiple Vendor LDAP Server NULL Bind Connection Information Disclosure

Info

Disclosure

Mar 15, 1999

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Multiple LDAP Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the LDAP NULL bind entry is enabled by default, which may allow a remote attacker to anonymously view files on the LDAP directory resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable the NULL bind entry or control the entry with Access Control Lists (ACLs). Consult your documentation or vendor for detailed instructions on how to accomplish this.

Products

All Vendors

LDAP Server

All Versions

References

ISS X-Force ID: 1424
Related OSVDB ID: 601
Generic Informational URL: http://rfc.net/rfc2251.html
http://rfc.net/rfc2820.html
http://rfc.net/rfc2829.html
Keyword: ldap

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218