*** Jan-Oliver Wagner <[email protected]> wrote: > On Freitag, 13. März 2009, Michael Meyer wrote: > > *** Jan-Oliver Wagner <[email protected]> wrote: > > > The script is not deocumented in the way that it > > > explains why it is an Security Hole. > > > The text says, it shows the information that can be pulled from the ldap, > > > but in fact it is truncated and only the first couple of bytes are shown > > > in the > > > report. > > > > > > Any LDAP experts around? ;-) > > > > http://markmail.org/message/ry5kkd6mrpzgzj42 > > http://www.openldap.org/lists/openldap-software/200605/msg00191.html > > http://kuerzer.de/hf3OS3QpP > > http://kuerzer.de/gR18v5O9j > > http://www.mail-archive.com/[email protected]/msg17819.html > > seems we should downgrade the severity of this finding ?
IMHO, yes. Moreover, this plugin should be revised that it produces fewer false positives. Currently, the plugin only determine if there is *any* output from ldapsearch. If so, the plugin reports a security problem. Also if there came messages like "Could not Connect". Micha _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
