SiT! Bugs

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001047SiT!LDAPpublic2010-01-20 18:472010-01-27 21:42
Reporterivan 
Assigned Topaulh 
PriorityimmediateSeverityblockReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.50 
Target Version3.51Fixed in Version3.51 
Summary0001047: Possible to login with blank password when LDAP is enabled
Descriptioncan login without password on any user accept for admin... With password I can login on the SIT system, wrong password isn't accepted, but leave the password blank I can login in every user (accept admin) on the SIT system.
Additional InformationSee this forum post for discussion:

http://sitracker.org/forum/viewtopic.php?f=4&t=1416979&p=2292 [^]
Tagssecurity
Attached Filespatch file icon bug1047.patch [^] (10,155 bytes) 2010-01-20 20:55 [Show Content]
? file icon functions.inc.php [^] (286,368 bytes) 2010-01-20 20:56

- Relationships

-  Notes
User avatar (0002295)
ivan (administrator)
2010-01-20 18:56
edited on: 2010-01-20 18:57

Since this is so serious, if you want an immediate work-around to make your systems safe you can insert the following line of code into your lib/functions.inc.php file at line 152 (assuming you're running v3.50)


    if (empty($password)) return false;



This will ensure it's never possible to login with an empty password. A proper fix will be included with 3.51 after we've had time to investigate this properly.

User avatar (0002296)
paulh (administrator)
2010-01-20 19:21

Confirm this is an issue

User avatar (0002298)
paulh (administrator)
2010-01-20 19:42

Having worked though the code I've identified the source of this problem to be that eDirectory treats binds without a oassword as anonymous binds:

02:02:29 3E248950 LDAP: DoBind on connection 0xfb5a040
02:02:29 3E248950 LDAP: Treating simple bind with no password as anonymous
02:02:29 3E248950 LDAP: Bind name:NULL, version:3, authentication:simple
02:02:29 3E248950 LDAP: Sending operation result 0:"":"" to connection 0xfb5a040

Which in eDirectory isn't an issue as anonymous bound users are only able to see a limited set of attributes though SiT gets a status of 0 back (login successful) hence why we let the user in.

Not sure of the best fix though suspecting the workaround Ivan posted is the best
User avatar (0002299)
paulh (administrator)
2010-01-20 21:01

r6021 resolves this issue in 3.x and trunk also a patch and a patched functions.inc.php is available in this bug
User avatar (0002302)
ivan (administrator)
2010-01-23 19:02

Fix released in v3.51 which is now available

- Issue History
Date Modified Username Field Change
2010-01-20 18:47 ivan New Issue
2010-01-20 18:47 ivan Tag Attached: security
2010-01-20 18:56 ivan Note Added: 0002295
2010-01-20 18:56 ivan Product Version => 3.50
2010-01-20 18:56 ivan Target Version => 3.51
2010-01-20 18:57 ivan Note Edited: 0002295 View Revisions
2010-01-20 19:21 paulh Note Added: 0002296
2010-01-20 19:21 paulh Status new => confirmed
2010-01-20 19:28 kieran Note Added: 0002297
2010-01-20 19:42 paulh Note Added: 0002298
2010-01-20 19:56 kieran Note Deleted: 0002297
2010-01-20 20:00 ivan Sticky Issue No => Yes
2010-01-20 20:42 paulh Status confirmed => assigned
2010-01-20 20:42 paulh Assigned To => paulh
2010-01-20 20:55 paulh File Added: bug1047.patch
2010-01-20 20:56 paulh File Added: functions.inc.php
2010-01-20 21:01 paulh Note Added: 0002299
2010-01-20 21:01 paulh Status assigned => resolved
2010-01-20 21:01 paulh Resolution open => fixed
2010-01-20 21:01 paulh Fixed in Version => Current SVN
2010-01-23 19:01 ivan Fixed in Version Current SVN => 3.51
2010-01-23 19:02 ivan Note Added: 0002302
2010-01-23 19:02 ivan Status resolved => closed
2010-01-27 21:42 ivan Sticky Issue Yes => No


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker