Security advisory: LDAP and AD authentication

From KnowledgeTree Community

Jump to: navigation, search

Contents

Description

It has been reported that, under some circumstances, a flaw in the LDAP and Active directory (AD) authentication plugins may allow unauthorized access to repositories.


This issue is known to occur if you have...

1) Modified a user's 'sAMAccountName' or 'CN' on the LDAP or AD server after users are imported:

E.g. from 'john' to 'JOHN'

2) Removed or modified a user's 'sAMAccountName' or 'CN' attribute on the authentication server, after users are imported;

3) Manually modified the 'users' table in the KnowledgeTree database


Affected Installations

This issue may affect the following KnowledgeTree versions, when authenticating against LDAP or Active Directory servers:

  • 3.5.2
  • 3.5.2a
  • 3.5.2b
  • 3.5.2c


Note that users created within KnowledgeTree are not affected by this issue


How to resolve this issue

To resolve this issue, please perform the following steps: 

1) Locate and backup the following file:
<KnowledgeTree Directory>/knowledgeTree/plugins/ktstandard/ldap/ldapbaseauthenticationprovider.inc.php

2) Replace the file with the version available at the following address:
http://issues.knowledgetree.com/secure/attachment/13287/ldapbaseauthenticationprovider.inc.php


Support

Please email any questions regarding this issue to support@knowledgetree.com. Note that the patch for this issue will be included in the KnowledgeTree 3.5.3 release.

Retrieved from "http://www.knowledgetree.org/Security_advisory:_LDAP_and_AD_authentication"
Personal tools