[OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab)

Thomas Lotterer thl at dev.de.cw.com
Thu May 6 11:56:10 CEST 2004


On Wed, May 05, 2004, Jon Bendtsen wrote:

Jon,

> I dont understand how serious this is. Can an remote attacker gain
> access?
> 
an attacker must be able to read your local slapd.conf first. It
contains information which would allow him to connect to OpenLDAP to
view and even modify and delete information.

Such operations can be done remotely if sldap listens to an public
interface and TCP port 389 (LDAP) or TCP port 636 (LDAPS) are
accessible. In theory, things can be worse if a host uses the same
Directory for Unix shell authorization (i.e. via PAM LDAP module) ...

--
Thomas.Lotterer at cw.com, Cable & Wireless




More information about the users mailing list