Skip to content

bugzilla
bugzilla
Commit 482e72b6 authored by justdave%syndicomm.com's avatar justdave%syndicomm.com
Browse files
Options

SECURITY FIX bug 54901: If you were using LDAP authentication it would let you…

SECURITY FIX bug 54901: If you were using LDAP authentication it would let you log in as anyone if you left the password blank. Patch by David Crowe <crow@waveset.com> r= jmrobins, justdave
parent 709a4c03
Hide whitespace changes
Inline Side-by-side
Showing with 15 additions and 0 deletions
CGI.pl
View file @ 482e72b6
......@@ -868,6 +868,21 @@ sub confirm_login {
exit;
}
# if no password was provided, then fail the authentication
# while it may be valid to not have an LDAP password, when you
# bind without a password (regardless of the binddn value), you
# will get an anonymous bind. I do not know of a way to determine
# whether a bind is anonymous or not without making changes to the
# LDAP access control settings
if ( ! $::FORM{"LDAP_password"} ) {
print "Content-type: text/html\n\n";
PutHeader("Login Failed");
print "You did not provide a password.\n";
print "Please click <b>Back</b> and try again.\n";
PutFooter();
exit;
}
# We've got our anonymous bind; let's look up this user.
my $dnEntry = $LDAPconn->search(Param("LDAPBaseDN"),"subtree","uid=".$::FORM{"LDAP_login"});
if(!$dnEntry) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment