Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4505: Staff / Employee Business Directory for Active Directory

The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.

CVE
#vulnerability#web#mac#microsoft#wordpress#php#ldap#oauth#auth#telnet#ssl
  • Details
  • Reviews
  • Installation
  • Development

Showcase | Documentation | Features | Contact Us

The Staff/Employee Business Directory for Active Directory plugin is used to perform an LDAP search and display the Staff / Employees present in your Active Directory on a WordPress site using a shortcode. The users / staff / employee details will be fetched from the Active Directory dynamically. That means the users will not be created in WordPress, and neither will their information be stored. Our plugin will seamlessly allow you to perform a Staff / Employee search through your business directory, employee directory, staff directory, or any other Active Directory implementations from your WordPress site and display the information you would like to see.

Free Version Features

  • Search LDAP / Active Directory users and Display them on your WordPress site.
  • Fetch information from a business directory, employee directory, staff directory, or any other Active Directory implementations.
  • Display the LDAP / Active Directory users using the configured attributes such as name, email, phone, and custom attributes.
  • LDAP custom attributes such as Department, Title, Birthday, etc., can also be used to perform LDAP search.
  • Display Profile Picture set in your LDAP / Active Directory as user profile picture in LDAP search results.
  • Search using different LDAP Search Bases that allow you to restrict employee / staff search to selected Search Bases (Organizational Units).
  • Auto-fetching the list of LDAP Search Bases / Organization Units (OUs) in your LDAP / Active Directory.
  • Support for LDAP Secure connection (LDAPS) and TLS Connection.

Support searching and fetching data dynamically from the following Active Directory implementations:

  1. Microsoft Active Directory
  2. Azure Active Directory
  3. Sun Active Directory
  4. OpenLDAP Directory
  5. JumpCloud
  6. FreeIPA Directory
  7. Synology
  8. OpenDS
    and several other LDAP directory systems.

Premium Version Features (Check out the Licensing tab to know more):-

  • Add unlimited LDAP / AD Attributes: Add and configure as many LDAP/Active Directory custom attributes to display on your WordPress site.
  • Multiple Search Attributes: Search the LDAP / AD staff / employees using more than one LDAP attribute at a time. For example, search from the LDAP Server/Active Directory for users by name and city attributes.
  • Auto-fetching of LDAP Organizational Units (OUs): Fetches the LDAP Organizational Units (OUs) present in your Active Directory/ Business Directory/ Employee Directory/ Staff Directory or other LDAP Directory.
  • Search Users from Multiple LDAP Search Bases: Select multiple search bases and search LDAP users from these configured search bases from your Active Directory / other LDAP Directory.
  • Custom Search Filter: Add a Custom Search Filter to customize the LDAP Employee search result as per the requirements. Ex. Search only active LDAP Directory users, and restrict particular LDAP/Active Directory group users in LDAP search results.
  • Fetch LDAP/Active Directory Profile Picture: Display the thumbnail photo / Profile Picture set in your LDAP/Active Directory as the user profile picture in the search result.

Use Cases Supported By Our Plugin

  • Create a Phonebook Directory / Employee Directory / Staff Directory that is in sync with your Active Directory.
  • Fetch the complete profile information along with pictures of students enrolled in a school or university.
  • Display hospital staff and doctors with the details of their specialization from your Active Directory / LDAP on a WordPress page.
  • Search and display the employees’ / staff’s data present in your LDAP server on-the-fly without storing the employee information in WordPress.
  • Display Staff / Employees having birthdays and anniversaries on a specific page and send automated congratulating emails.

Other Use-Cases we support

  • miniOrange WP LDAP/AD Login for Intranet sites plugin supports login to WordPress sites using credentials stored in Active Directory and LDAP Directory systems. Only if you have access to LDAP Extension on your site.
  • miniOrange Active Directory/LDAP Integration for Cloud & Shared Hosting Platforms Plugin supports login to WordPress sites hosted on a shared hosting platform using credentials stored in active directory and LDAP Directory systems in case you are not able to enable LDAP Extension on your site.
  • WordPress Login and User Management Plugin: This plugin offers several functionalities, including bulk user management, user redirection based on WordPress roles, user session management, auto-logout users, and the ability to make a page or post private or public based on an ID or URL.
  • miniOrange supports API Security use cases to protect and secure your APIs using our product XecureAPI which helps you to enable Authentication methods ( like OAuth, SAML, LDAP, API Key Authentication, JWT Authentication etc ), Rate Limiting, IP restriction and much more on your APIs for complete protection.
  • miniOrange also supports VPN use cases Log in to your VPN client using Active Directory /other LDAP Directory credentials and Multi-Factor Authentication.
  • miniOrange supports Single-Sign-On (SSO) into a plethora of applications and supports various protocols like(RADIUS, SAML, OAuth, LDAP/LDAPS, using various IDP’s like Azure Active Directory, Microsoft On-Premise Active Directory, Octa, ADFS, etc.
  • Contact us at [email protected] to know more.

Why you should go with our solution

  • Support: With search being one of the essential functions of a website, our priority support ensures that any issues you face on a live production site can be resolved on time.
  • Regular updates: We regularly update our plugin and ensure it is compatible with the latest WordPress versions. These updates include security and bug fixes that provide you have the newest security fixes.
  • Ensure timely updates for new WordPress/PHP releases with our premium plugins and compatibility updates to ensure you have adequate support for smooth transitions to new versions of WordPress and PHP.
  • Reasonable priced: Various plans are tailored to suit your needs. We provide discounts to educational and non-profit organizations and bulk discounts on large purchases.
  • Easy to set up : High-quality, easy-to-understand documentation will help you in setting up our plugin. Our developers can also help you by walking you through the setup process of the plugin.
  • High level of customization and add-ons to support specific requirements.

Need support?

Please email us at [email protected] or Contact us

Minimum Requirements

  • Compatible with WordPress version 5.0 or higher
  • Compatible with PHP version 5.2.0 or higher

Prerequisites

I. Staff/Employee Business Directory for Active Directory plugin requires the following PHP Modules to be enabled. Make sure you have enabled them.

  1. PHP LDAP Module:
    Step-1: Open the php.ini file.
    Step-2: Search for “extension=php_ldap.dll” in the php.ini file. Uncomment this line. If it isn’t present, add this line to the file and save the file.

  2. OpenSSL Module:
    Step-1: Open the php.ini file.
    Step-2: Search for “extension=php_openssl.dll” in the php.ini file. Uncomment this line. If not present, add this line to the file and save the file.

II. To install the Staff / Employee Business Directory for Active Directory plugin, the minimum requirements are:

  1. WordPress version 5.0
  2. PHP version 5.2.0

From your WordPress dashboard

  1. Visit Plugins > Add New
  2. Search for Staff/Employee Business Directory for Active Directory. Find and install the Staff/Employee Business Directory for Active Directory.
  3. Activate the plugin from your Plugins section.

From WordPress.org

  1. Download the Staff/Employee Business Directory for Active Directory.
  2. Unzip and upload the miniorange-ldap-directory-search directory to your /wp-content/plugins/ directory.
  3. Activate the Staff/Employee Business Directory for Active Directory from your Plugins section.

Make sure that if there is a firewall, you OPEN THE FIREWALL to allow incoming requests to your LDAP from your WordPress Server IP and open port 389 (636 for SSL or LDAPS).

Why am I getting an error while trying to Test LDAP Connection?

  1. Please make sure that the LDAP Server URL, Username and Password that you have entered are correct.
  2. In the Username field, please enter either the UserPrincipalName or DistinguishedName (DN) attribute of any user present in your LDAP server.
  3. Check if the LDAP server URL is accessible from your hosted site and the port 389 is open. { To check this, run this command on your WordPress server: >telnet < LDAP server URL or IP >:389 }
  4. If you are using a firewall, open the firewall to allow incoming requests to your LDAP from your WordPress Server IP and port 389.

If you have any queries or if you need any sort of assistance configuring our plugin, you can contact us at [email protected]. Our customer support team is available 24×7 to assist you in any way possible.

What is meant by Search Base in my LDAP environment?

  1. Search Base is a container / path where your LDAP/AD users that you want to search are present.
  2. This is the container in which the Staff/Employee Business Directory For Active Directory Plugin will search for LDAP users.
  3. The Search Base value can be obtained from the distinguishedName attribute of a container / node where the LDAP/AD users are present.

For example, if you want to search all LDAP/AD users in the Organizational Unit (OU) named “LDAPUsers. The Search Base would be OU=LDAPUsers, DC=DomainName, DC=SubDomainName.
If you have any queries or if you need any sort of assistance in configuring our plugin, you can contact us at [email protected]. Our customer support team is available 24×7 to assist you in any way possible.

I can not add more LDAP user attributes in the Attributes Configuration. Why?

To add and display unlimited LDAP user attributes, please upgrade your existing plan to the premium plan.

Is it possible to display only active (non-disabled) users from the LDAP/AD Server?

Yes, It is possible using the custom search Filter feature, which is present in the premium version of our plugin.

Click here to view our detailed FAQ page.

For support or troubleshooting help, please email us at [email protected] or Contact us.

How does the Custom Search Filter work?

Custom LDAP search filters allow you to apply advanced filters to your search. You can restrict / allow specific users belonging to LDAP groups or Organizational Units. For Example, If you want to display users from Sales Department, then you can do this using the below search filter:

(&(objectClass=user)(objectCategory=person)(sAMAccountName=?)(department=’Sales’))

Does this plugin store any staff / employee information in the WordPress database?

No, this plugin does not store any LDAP user’s data in the WordPress database. Our Staff / Employee Business Directory For Active Directory plugin dynamically fetches and displays users’ information on the fly.

We are using Staff / Employee Business Directory plugin for showing our employees on WordPress page. The plugin displays our employees on pages based on departments they are linked to Active Directory. The most amazing thing was Support we received from miniOrange. I am using other WordPress plugins for years and I never recieved this kind of quality support that miniOrange has provided us. They have very trained employees for problem solving. I would like to thank Vikas More for his amazing knowledge and problem solving skills that leaded to achieve our requirements. He is very tallented and proficient in the conversation. If we need any plugin in the future, miniOrange will be our first choice because of the product quality and most important the quick and great support we have received from Vikas. Keep it up the good work minOrange!

Great plugin - works well and excellent support for any customozation. Very Responsive support as well.

What a great plugin with great support. Easy to configure and setup!!

Wonderful Plugin and works better as expected!!! The support is TOP!

The plugin is really easy to install and configure. It does exactly what you want it to do. The technical support especially Vikas is really professional and responsive. We had to translate some terms in French and it was done quickly. I can only recommend this plugin. Thanks you.

The support (especially Vikas) is just great. We had a problem and they were really flexible and helpful. Now our search-function works perfectly and we know we can always rely on the support.

Read all 9 reviews

“Staff / Employee Business Directory for Active Directory” is open source software. The following people have contributed to this plugin.

Contributors

  • miniorange

1.3

  • Enhanced security measures to prevent LDAP Passback Vulnerability.

1.2.3

  • Security Fixes

1.2.2

  • Compatibility with the WordPress version 6.3

1.2.1

  • Compatibility with the WordPress version 6.2

1.2.0

  • WP Guideline & Security Fixes.
  • Code Optimization.

1.1.2

  • Black Friday Sale Advertisement.
  • Updated Licensing Page.
  • Added Settings Menu.

1.1.1

  • Added Advertisement for Trialware.
  • Minor Bug Fixes.
  • Compatibility with WordPress 6.1

1.1

  • Read me changes.
  • UI Improvements.
  • Added an optional feedback form on plugin deactivation.
  • Code optimization

1.0.1

  • Read me changes.
  • Minor UI changes.

1.0

This is the first version of the plugin.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907