From 8d019c03ee7a2a3a25bfb3f2afa25951eac06428 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Tue, 21 Sep 2010 18:04:28 -0400 Subject: [PATCH] Do not allow blank passwords when authenticating against LDAP. --- plugins/LdapCommon/LdapCommon.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/plugins/LdapCommon/LdapCommon.php b/plugins/LdapCommon/LdapCommon.php index 7dea1f0ed4..159b2d265a 100644 --- a/plugins/LdapCommon/LdapCommon.php +++ b/plugins/LdapCommon/LdapCommon.php @@ -144,6 +144,12 @@ class LdapCommon if(!$entry){ return false; }else{ + if(empty($password)) { + //NET_LDAP2 will do an anonymous bind if bindpw is not set / empty string + //which causes all login attempts that involve a blank password to appear + //to succeed. Which is obviously not good. + return false; + } $config = $this->get_ldap_config(); $config['binddn']=$entry->dn(); $config['bindpw']=$password; -- 2.39.5