Leaving the password field empty bypasses authentication

tiagoapimenta / nginx-ldap-auth

Nginx authentication backend for LDAP

zlib License

61 stars 17 forks source link

Leaving the password field empty bypasses authentication #19

Open kishorviswanathan opened 4 years ago

kishorviswanathan commented 4 years ago

I have deployed nginx-ldap-auth with nginx-ingress controller on GKE. I have enabled group validation. When a valid username that is a member of the group is provided, password field can be left empty. This is a security issue and can grant access to anyone who knows a valid username.

iul1an commented 4 years ago

I was also able to reproduce the bug when requiredGroups is empty or not specified.