SurgeLDAP Web Administration Authentication Bypass Vulnerability

vendor:

SurgeLDAP

by:

7.5

CVSS

HIGH

Authentication Bypass

CWE

Product Name: SurgeLDAP

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows, Unix

SurgeLDAP Web Administration Authentication Bypass Vulnerability

The SurgeLDAP web administration application is prone to an authentication bypass vulnerability, possibly allowing remote attackers manager access. Once administration access is granted, it may be possible for an attacker to modify records in the LDAP database, destroy data, crash the server, or possibly further attacks on other services utilizing SurgeLDAP for its authentication data.

Mitigation:

No known mitigation at this time

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10294/info

SurgeLDAP is an LDAP server implementation for Microsoft Windows and various Unix operating systems. It includes a built-in web server to permit remote user access via HTTP. 

It has been reported that the SurgeLDAP web administration application is prone to an authentication bypass vulnerability, possibly allowing remote attackers manager access.

Once administration access is granted, it may be possible for an attacker to modify records in the LDAP database, destroy data, crash the server, or possibly further attacks on other services utilizing SurgeLDAP for it's authentication data.

http://www.example.com/admin.cgi?cmd=show&page=main.tpl&utoken=manager