php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #62363 Lack of warning about anon. bind
Submitted: 2012-06-19 07:11 UTC Modified: 2017-01-09 06:45 UTC
From: gewalopdrbat at gmail dot com Assigned:
Status: Not a bug Package: LDAP related
PHP Version: 5.4.4 OS: Windows 7, Ubuntu 12.04
Private report: No CVE-ID: None
 [2012-06-19 07:11 UTC] gewalopdrbat at gmail dot com
Description:
------------
Most of the cases where a security concern or a possibility unexpected behavior are happily mentioned in the PHP documentation as WARNINGS or NOTES.
This case is very critical because many times the ldap_bind() function is used as in the Case 1 (see test script).
According the https://tools.ietf.org/html/rfc4513#section-5.1.2 , Clients MUST check for empty passwords to avoid successful bind when the username is valid (I've also tested the username '*', and it produced a successful bind).
It would be very nice to change the behavior of ldap_bind() and add a parameter to explicitly allow anonymous binding or at least mention the Case 2 in the examples (see test script).

Test script:
---------------
#Case 1 Code
if (ldap_bind($ds, $rdn, $password)){
       //reveal secret stuff
}

#Case 2 Code
if (!empty($password) || $password != null) {
       if (ldap_bind($ds, escapeLDAP($rdn, 'dn'), $password)) {
            //reveal secret stuff
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 09:05 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2017-01-09 06:45 UTC] heiglandreas@php.net
-Status: Open +Status: Not a bug
 [2017-01-09 06:45 UTC] heiglandreas@php.net
This issue is targeting a deprecated version of PHP. And as ldap_bind is per RFC 2251 doing an anonymous bind when the password is left empty that's not a behaviour that should trigger a warning as it's the defined behaviour. And as it results in an anonymous bind it's not a security issue. 

You are right in that this behaviour should be reflected in the docs though!

So I'm closing this issue here now.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 11:01:30 2024 UTC