php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #62363 Lack of warning about anon. bind
Submitted: 2012-06-19 07:11 UTC Modified: 2017-01-09 06:45 UTC
From: gewalopdrbat at gmail dot com Assigned:
Status: Not a bug Package: LDAP related
PHP Version: 5.4.4 OS: Windows 7, Ubuntu 12.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gewalopdrbat at gmail dot com
New email:
PHP Version: OS:

 

 [2012-06-19 07:11 UTC] gewalopdrbat at gmail dot com 
Description:
------------
Most of the cases where a security concern or a possibility unexpected behavior are happily mentioned in the PHP documentation as WARNINGS or NOTES.
This case is very critical because many times the ldap_bind() function is used as in the Case 1 (see test script).
According the https://tools.ietf.org/html/rfc4513#section-5.1.2 , Clients MUST check for empty passwords to avoid successful bind when the username is valid (I've also tested the username '*', and it produced a successful bind).
It would be very nice to change the behavior of ldap_bind() and add a parameter to explicitly allow anonymous binding or at least mention the Case 2 in the examples (see test script).

Test script:
---------------
#Case 1 Code
if (ldap_bind($ds, $rdn, $password)){
       //reveal secret stuff
}

#Case 2 Code
if (!empty($password) || $password != null) {
       if (ldap_bind($ds, escapeLDAP($rdn, 'dn'), $password)) {
            //reveal secret stuff
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 09:05 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2017-01-09 06:45 UTC] heiglandreas@php.net
-Status: Open +Status: Not a bug
 [2017-01-09 06:45 UTC] heiglandreas@php.net 
This issue is targeting a deprecated version of PHP. And as ldap_bind is per RFC 2251 doing an anonymous bind when the password is left empty that's not a behaviour that should trigger a warning as it's the defined behaviour. And as it results in an anonymous bind it's not a security issue. 

You are right in that this behaviour should be reflected in the docs though!

So I'm closing this issue here now.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 01:01:28 2024 UTC