DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null ( ) character, which triggers an anonymous bind.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8764
Reference (s):
- http://advisories.mageia.org/MGASA-2014-0438.html
- https://github.com/splitbrain/dokuwiki/pull/868
- DEBIAN:DSA-3059
- URL: http://www.debian.org/security/2014/dsa-3059
- MLIST:[dokuwiki] 20140918 Fwd: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication