[389-users] LDAP allows null bases
Kay Cee
kayceegeek at gmail.com
Wed Mar 11 10:23:42 UTC 2015
All clients connecting to our 389-ds server showed up this vulnerability on
the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:High
Application:ldap
Port:389
Protocol:tcp
ScriptID:10722
Summary:
It is possible to disclose LDAP information.
Description :
Improperly configured LDAP servers will allow the directory BASE to be set
to NULL. This allows information to be culled without any prior knowledge
of the directory structure. Coupled with a NULL BIND, an anonymous user can
query your LDAP server using a tool such as 'LdapMiner'
Solution:
Disable NULL BASE queries on your LDAP server
CVSS Base Score : 5.0
Family name: Remote file access
Category: infos
Copyright: Copyright (C) 2000 John Lampe....j_lampe at bellsouth.net
Summary: Check for LDAP null base
Version: $Revision: 128 $
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150311/f0224dfb/attachment.html>
More information about the 389-users
mailing list