CVE-2014-8763

DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (0) character and a valid user name, which triggers an unauthenticated bind.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Dokuwiki	Dokuwiki	*	2014-05-05a (including)
Dokuwiki	Ubuntu	artful	*
Dokuwiki	Ubuntu	lucid	*
Dokuwiki	Ubuntu	precise	*
Dokuwiki	Ubuntu	trusty	*
Dokuwiki	Ubuntu	utopic	*
Dokuwiki	Ubuntu	vivid	*
Dokuwiki	Ubuntu	wily	*
Dokuwiki	Ubuntu	yakkety	*
Dokuwiki	Ubuntu	zesty	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://advisories.mageia.org/MGASA-2014-0438.html
http://secunia.com/advisories/61983
http://www.debian.org/security/2014/dsa-3059
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
http://www.openwall.com/lists/oss-security/2014/10/13/3
http://www.openwall.com/lists/oss-security/2014/10/16/9
https://github.com/splitbrain/dokuwiki/pull/868

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-8763
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References