SurgeLDAP 1.0g (Build 12), and possibly other versions before 1.0h, allows remote attackers to bypass authentication for the administration interface via a direct request to admin.cgi with a modified utoken parameter.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Surgeldap | Netwin | 1.0a (including) | 1.0a (including) |
| Surgeldap | Netwin | 1.0b (including) | 1.0b (including) |
| Surgeldap | Netwin | 1.0d (including) | 1.0d (including) |
| Surgeldap | Netwin | 1.0e (including) | 1.0e (including) |
| Surgeldap | Netwin | 1.0f (including) | 1.0f (including) |
| Surgeldap | Netwin | 1.0g (including) | 1.0g (including) |
References
- http://netwinsite.com/surgeldap/updates.htm
- http://secunia.com/advisories/11549
- http://securitytracker.com/alerts/2004/May/1010113.html
- http://securitytracker.com/id?1010068
- http://www.osvdb.org/5890
- http://www.securityfocus.com/bid/10294
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16076
- http://netwinsite.com/surgeldap/updates.htm
- http://secunia.com/advisories/11549
- http://securitytracker.com/alerts/2004/May/1010113.html
- http://securitytracker.com/id?1010068
- http://www.osvdb.org/5890
- http://www.securityfocus.com/bid/10294
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16076