SiT! Bugs

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000735SiT!authenticationpublic2009-06-16 15:372009-08-16 14:39
Reportermfeider67 
Assigned Topaulh 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.45 
Target Version3.50Fixed in Version3.50 
Summary0000735: log in error
Descriptionlogin is allowed when LDAP is false, but SQL still authenticates - can be old or blank password sometimes bypasses LDAP's failure
Additional InformationDIFF file seems to contain all change in indent - this line change is the important one....

- if ($CONFIG['use_ldap']) authenticateLDAPCustomer($username, $portalpassword );
+ if ($CONFIG['use_ldap'] && authenticateLDAPCustomer($username, $portalpassword )) //changed due to small bug - if user logs in with blank password, and if LDAP either updates a blank or never sets the user is still logged in even though the password is incorrect, essentially we need to validate return value of this function for success and not just rely on next SQL check
Tagssecurity
Attached Filesdiff file icon login.php.diff [^] (7,406 bytes) 2009-06-16 15:37 [Show Content]

- Relationships
child of 0000076closedpaulh Directory integration - LDAP 

-  Notes
User avatar (0001274)
paulh (administrator)
2009-07-10 20:14

Think the reworked LDAP code resolves this can you confirm?
User avatar (0001420)
paulh (administrator)
2009-07-26 15:05

The reworked LDAP code makes it configurable whether passwords are cached, and if they are whether you can use them for authentication
User avatar (0001422)
ivan (administrator)
2009-07-26 15:07

Thanks Paul
User avatar (0001698)
ivan (administrator)
2009-08-16 14:39

Released in 3.50rc1

- Issue History
Date Modified Username Field Change
2009-06-16 15:37 mfeider67 New Issue
2009-06-16 15:37 mfeider67 File Added: login.php.diff
2009-06-16 17:47 ivan Relationship added child of 0000076
2009-07-10 20:14 paulh Note Added: 0001274
2009-07-10 20:14 paulh Status new => feedback
2009-07-20 22:03 ivan Target Version => 3.50
2009-07-25 14:51 ivan Tag Attached: security
2009-07-26 15:05 paulh Note Added: 0001420
2009-07-26 15:05 paulh Status feedback => resolved
2009-07-26 15:05 paulh Resolution open => fixed
2009-07-26 15:05 paulh Fixed in Version => Current SVN
2009-07-26 15:07 ivan Note Added: 0001422
2009-07-26 15:07 ivan Assigned To => paulh
2009-08-16 13:15 ivan Fixed in Version Current SVN => 3.50
2009-08-16 14:39 ivan Note Added: 0001698
2009-08-16 14:39 ivan Status resolved => closed


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker