SiT! Bugs - SiT!
View Issue Details
0001047SiT!LDAPpublic2010-01-20 18:472010-01-27 21:42
ivan 
paulh 
immediateblockhave not tried
closedfixed 
3.50 
3.513.51 
0001047: Possible to login with blank password when LDAP is enabled
can login without password on any user accept for admin... With password I can login on the SIT system, wrong password isn't accepted, but leave the password blank I can login in every user (accept admin) on the SIT system.
See this forum post for discussion:

http://sitracker.org/forum/viewtopic.php?f=4&t=1416979&p=2292 [^]
security
patch bug1047.patch (10,155) 2010-01-20 20:55
http://bugs.sitracker.org/file_download.php?file_id=75&type=bug
? functions.inc.php (286,368) 2010-01-20 20:56
http://bugs.sitracker.org/file_download.php?file_id=76&type=bug
Issue History
2010-01-20 18:47ivanNew Issue
2010-01-20 18:47ivanTag Attached: security
2010-01-20 18:56ivanNote Added: 0002295
2010-01-20 18:56ivanProduct Version => 3.50
2010-01-20 18:56ivanTarget Version => 3.51
2010-01-20 18:57ivanNote Edited: 0002295bug_revision_view_page.php?bugnote_id=2295#r60
2010-01-20 19:21paulhNote Added: 0002296
2010-01-20 19:21paulhStatusnew => confirmed
2010-01-20 19:28kieranNote Added: 0002297
2010-01-20 19:42paulhNote Added: 0002298
2010-01-20 19:56kieranNote Deleted: 0002297
2010-01-20 20:00ivanSticky IssueNo => Yes
2010-01-20 20:42paulhStatusconfirmed => assigned
2010-01-20 20:42paulhAssigned To => paulh
2010-01-20 20:55paulhFile Added: bug1047.patch
2010-01-20 20:56paulhFile Added: functions.inc.php
2010-01-20 21:01paulhNote Added: 0002299
2010-01-20 21:01paulhStatusassigned => resolved
2010-01-20 21:01paulhResolutionopen => fixed
2010-01-20 21:01paulhFixed in Version => Current SVN
2010-01-23 19:01ivanFixed in VersionCurrent SVN => 3.51
2010-01-23 19:02ivanNote Added: 0002302
2010-01-23 19:02ivanStatusresolved => closed
2010-01-27 21:42ivanSticky IssueYes => No

Notes
(0002295)
ivan   
2010-01-20 18:56   
(edited on: 2010-01-20 18:57)
Since this is so serious, if you want an immediate work-around to make your systems safe you can insert the following line of code into your lib/functions.inc.php file at line 152 (assuming you're running v3.50)


    if (empty($password)) return false;



This will ensure it's never possible to login with an empty password. A proper fix will be included with 3.51 after we've had time to investigate this properly.

(0002296)
paulh   
2010-01-20 19:21   
Confirm this is an issue

(0002298)
paulh   
2010-01-20 19:42   
Having worked though the code I've identified the source of this problem to be that eDirectory treats binds without a oassword as anonymous binds:

02:02:29 3E248950 LDAP: DoBind on connection 0xfb5a040
02:02:29 3E248950 LDAP: Treating simple bind with no password as anonymous
02:02:29 3E248950 LDAP: Bind name:NULL, version:3, authentication:simple
02:02:29 3E248950 LDAP: Sending operation result 0:"":"" to connection 0xfb5a040

Which in eDirectory isn't an issue as anonymous bound users are only able to see a limited set of attributes though SiT gets a status of 0 back (login successful) hence why we let the user in.

Not sure of the best fix though suspecting the workaround Ivan posted is the best
(0002299)
paulh   
2010-01-20 21:01   
r6021 resolves this issue in 3.x and trunk also a patch and a patched functions.inc.php is available in this bug
(0002302)
ivan   
2010-01-23 19:02   
Fix released in v3.51 which is now available