SiT! Bugs - SiT!
View Issue Details
0001047SiT!LDAPpublic2010-01-20 18:472010-01-27 21:42
immediateblockhave not tried
0001047: Possible to login with blank password when LDAP is enabled
can login without password on any user accept for admin... With password I can login on the SIT system, wrong password isn't accepted, but leave the password blank I can login in every user (accept admin) on the SIT system.
See this forum post for discussion: [^]
patch bug1047.patch (10,155) 2010-01-20 20:55
? (286,368) 2010-01-20 20:56
Issue History
2010-01-20 18:47ivanNew Issue
2010-01-20 18:47ivanTag Attached: security
2010-01-20 18:56ivanNote Added: 0002295
2010-01-20 18:56ivanProduct Version => 3.50
2010-01-20 18:56ivanTarget Version => 3.51
2010-01-20 18:57ivanNote Edited: 0002295bug_revision_view_page.php?bugnote_id=2295#r60
2010-01-20 19:21paulhNote Added: 0002296
2010-01-20 19:21paulhStatusnew => confirmed
2010-01-20 19:28kieranNote Added: 0002297
2010-01-20 19:42paulhNote Added: 0002298
2010-01-20 19:56kieranNote Deleted: 0002297
2010-01-20 20:00ivanSticky IssueNo => Yes
2010-01-20 20:42paulhStatusconfirmed => assigned
2010-01-20 20:42paulhAssigned To => paulh
2010-01-20 20:55paulhFile Added: bug1047.patch
2010-01-20 20:56paulhFile Added:
2010-01-20 21:01paulhNote Added: 0002299
2010-01-20 21:01paulhStatusassigned => resolved
2010-01-20 21:01paulhResolutionopen => fixed
2010-01-20 21:01paulhFixed in Version => Current SVN
2010-01-23 19:01ivanFixed in VersionCurrent SVN => 3.51
2010-01-23 19:02ivanNote Added: 0002302
2010-01-23 19:02ivanStatusresolved => closed
2010-01-27 21:42ivanSticky IssueYes => No

2010-01-20 18:56   
(edited on: 2010-01-20 18:57)
Since this is so serious, if you want an immediate work-around to make your systems safe you can insert the following line of code into your lib/ file at line 152 (assuming you're running v3.50)

    if (empty($password)) return false;

This will ensure it's never possible to login with an empty password. A proper fix will be included with 3.51 after we've had time to investigate this properly.

2010-01-20 19:21   
Confirm this is an issue

2010-01-20 19:42   
Having worked though the code I've identified the source of this problem to be that eDirectory treats binds without a oassword as anonymous binds:

02:02:29 3E248950 LDAP: DoBind on connection 0xfb5a040
02:02:29 3E248950 LDAP: Treating simple bind with no password as anonymous
02:02:29 3E248950 LDAP: Bind name:NULL, version:3, authentication:simple
02:02:29 3E248950 LDAP: Sending operation result 0:"":"" to connection 0xfb5a040

Which in eDirectory isn't an issue as anonymous bound users are only able to see a limited set of attributes though SiT gets a status of 0 back (login successful) hence why we let the user in.

Not sure of the best fix though suspecting the workaround Ivan posted is the best
2010-01-20 21:01   
r6021 resolves this issue in 3.x and trunk also a patch and a patched is available in this bug
2010-01-23 19:02   
Fix released in v3.51 which is now available