Not sure if this is a bug or the "bind" function return something else.
in the following snippet
....
ldap_con = Net::LDAP.new( {:host => ldapserver, :port => ldapport, :auth => { :method => :simple, :username => dn, :password => password}} )
if ldap_con.bind
.....
If we put password as blank (ie password = '' ), ldap_con.bind will return true ( or return a valid object ). We are using ldap_con.bind to check something's credential on our app. Now, when user type in a user with a blank password, they can get into our app. I have made a temporary fix by checking the password if it is empty or not.
any thoughts?
|
Start New Thread
Security bug? [ reply ]