Security Bug : Empty password grant access

shinken-monitoring / mod-auth-active-directory

Shinken module for UI authentification with Active Directory or OpenLDAP

GNU Affero General Public License v3.0

2 stars 5 forks source link

Security Bug : Empty password grant access #3

Closed DessaiImrane closed 11 years ago

DessaiImrane commented 11 years ago

Hi,

I'm using this module to auth my users on WebUI (against an Active Directory)

Giving a wrong username or a wrong password will make auth failed (expected behavior)

Giving a right username with empty password will make auth success (huhu not expected behavior, of course)

Maybe a problem with the filter in the ldap query ?

DessaiImrane commented 11 years ago

Some explanation :

AD authorizes "anonymous" bind So, a DN without no password is equivalent to Unauthenticated Bind And a DN with a wrong password is NOT a Anonymous Bind

Bind doesn't necesserly grant read access on ldap. You have to have the rights to do so.

Many solutions :

Disabled Anonymous Bind in AD (not recommended according to some sources)
Making this module more stronger -- Checking if password is "empty" beofre making the bind

Many other projects got the same problem (ie redmine) Google search : ad bind empty password

FYI : It is in the file "module/module.py", l249

Which solution do you prefer ?

naparuba commented 11 years ago

? I already fix this in the sources since months (password == '' -> drop).

On Fri, Aug 23, 2013 at 7:30 AM, DessaiImrane notifications@github.comwrote:

Some explanation :

AD authorizes "anonymous" bind So, a DN without no password is equivalent to Anonymous Bind And a DN with a wrong password is NOT a Anonymous Bind

Bind doesn't necesserly grant read access on ldap. You have to have the rights to do so.

Many solutions :

Disabled Anonymous Bind in AD (not recommended according to some sources)

Making this module more stronger -- Checking if password is "empty" beofre making the bind

Many other projects got the same problem (ie redmine) Google search : ad bind empty password

FYI : It is in the file "module/module.py", l249

Which solution do you prefer ?

— Reply to this email directly or view it on GitHubhttps://github.com/shinken-monitoring/mod-auth-active-directory/issues/3#issuecomment-23144266 .

DessaiImrane commented 11 years ago

pfff ! I'm sorry, I miss read the source code.

I close this issue

naparuba commented 11 years ago

On Fri, Aug 23, 2013 at 9:22 AM, DessaiImrane notifications@github.comwrote:

pfff ! I'm sorry, I miss read the source code.

I close this issue

— Reply to this email directly or view it on GitHubhttps://github.com/shinken-monitoring/mod-auth-active-directory/issues/3#issuecomment-23147543 .