CVE-2014-8764

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (0) character, which triggers an anonymous bind.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Mageia	Mageia_project	3.0 (including)	3.0 (including)
Mageia	Mageia_project	4.0 (including)	4.0 (including)
Dokuwiki	Ubuntu	lucid	*
Dokuwiki	Ubuntu	precise	*
Dokuwiki	Ubuntu	trusty	*
Dokuwiki	Ubuntu	upstream	*
Dokuwiki	Ubuntu	utopic	*
Dokuwiki	Ubuntu	vivid	*
Dokuwiki	Ubuntu	wily	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://advisories.mageia.org/MGASA-2014-0438.html
http://secunia.com/advisories/61983
http://www.debian.org/security/2014/dsa-3059
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
http://www.openwall.com/lists/oss-security/2014/10/13/3
http://www.openwall.com/lists/oss-security/2014/10/16/9
https://github.com/splitbrain/dokuwiki/pull/868

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-8764
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References