From 482e72b6a8190cf4e2ada47cf1168f36ed92afe5 Mon Sep 17 00:00:00 2001
From: "justdave%syndicomm.com" <>
Date: Sun, 9 Dec 2001 23:56:23 +0000
Subject: SECURITY FIX bug 54901: If you were using LDAP authentication it
 would let you log in as anyone if you left the password blank. Patch by David
 Crowe <crow@waveset.com> r= jmrobins, justdave

---
 CGI.pl | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'CGI.pl')

diff --git a/CGI.pl b/CGI.pl
index 5a2b5f7ce..e245c1db4 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -868,6 +868,21 @@ sub confirm_login {
          exit;
        }
 
+       # if no password was provided, then fail the authentication
+       # while it may be valid to not have an LDAP password, when you
+       # bind without a password (regardless of the binddn value), you
+       # will get an anonymous bind.  I do not know of a way to determine
+       # whether a bind is anonymous or not without making changes to the
+       # LDAP access control settings
+       if ( ! $::FORM{"LDAP_password"} ) {
+         print "Content-type: text/html\n\n";
+         PutHeader("Login Failed");
+         print "You did not provide a password.\n";
+         print "Please click <b>Back</b> and try again.\n";
+         PutFooter();
+         exit;
+       }
+
        # We've got our anonymous bind;  let's look up this user.
        my $dnEntry = $LDAPconn->search(Param("LDAPBaseDN"),"subtree","uid=".$::FORM{"LDAP_login"});
        if(!$dnEntry) {
-- 
cgit v1.2.3-24-g4f1b