LDAP sign-in accepts blank passwords as valid

Created by: BHSPitMonkey

Using the LDAP/omniauth functionality, I seem to be able to illegitimately sign in as any user by simply providing their username and leaving the password field blank at the login page. Providing an incorrect (but non-blank) password correctly results in a "Invalid Credentials" message, but leaving the password completely blank results in a successful authentication. This is a very critical problem for LDAP users!

Is anyone else able to recreate this behavior?

Created by: dzaporozhets

@BHSPitMonkey Thank you! This bug is related to omniauth-ldap. This commit fix it 89d3366e. Can you recheck it? If it works for you we'll release 2.6.3

By Administrator on 2012-06-26T07:55:51 (imported from GitLab project)

By Administrator on 2012-06-26T07:55:51 (imported from GitLab)

Created by: BHSPitMonkey

@randx Thanks for looking at this so quickly! I've updated my installation and can no longer sign in without providing a password. However, instead of getting re-presented with the login form with an error message at the top, I'm bounced to the HTTP 500 error page:

We're sorry, but something went wrong.
We've been notified about this issue and we'll take a look at it shortly.

on which the URL is "/users/auth/ldap/callback". So the security hole is closed, though I don't think it's giving the UX response you intended.

Thanks again for everything!

By Administrator on 2012-06-26T14:53:19 (imported from GitLab project)

By Administrator on 2012-06-26T14:53:19 (imported from GitLab)