PHP :: Request #62363 :: Lack of warning about anon. bind

Request #62363	Lack of warning about anon. bind
Submitted:	2012-06-19 07:11 UTC	Modified:	2017-01-09 06:45 UTC
From:	gewalopdrbat at gmail dot com	Assigned:
Status:	Not a bug	Package:	LDAP related
PHP Version:	5.4.4	OS:	Windows 7, Ubuntu 12.04
Private report:	No	CVE-ID:	None

View Developer Edit

[2012-06-19 07:11 UTC] gewalopdrbat at gmail dot com

Description:
------------
Most of the cases where a security concern or a possibility unexpected behavior are happily mentioned in the PHP documentation as WARNINGS or NOTES.
This case is very critical because many times the ldap_bind() function is used as in the Case 1 (see test script).
According the https://tools.ietf.org/html/rfc4513#section-5.1.2 , Clients MUST check for empty passwords to avoid successful bind when the username is valid (I've also tested the username '*', and it produced a successful bind).
It would be very nice to change the behavior of ldap_bind() and add a parameter to explicitly allow anonymous binding or at least mention the Case 2 in the examples (see test script).

Test script:
---------------
#Case 1 Code
if (ldap_bind($ds, $rdn, $password)){
       //reveal secret stuff
}

#Case 2 Code
if (!empty($password) || $password != null) {
       if (ldap_bind($ds, escapeLDAP($rdn, 'dn'), $password)) {
            //reveal secret stuff
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-12-30 09:05 UTC] stas@php.net

-Type: Security +Type: Feature/Change Request

[2017-01-09 06:45 UTC] heiglandreas@php.net

-Status: Open +Status: Not a bug

[2017-01-09 06:45 UTC] heiglandreas@php.net

This issue is targeting a deprecated version of PHP. And as ldap_bind is per RFC 2251 doing an anonymous bind when the password is left empty that's not a behaviour that should trigger a warning as it's the defined behaviour. And as it results in an anonymous bind it's not a security issue. 

You are right in that this behaviour should be reflected in the docs though!

So I'm closing this issue here now.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Feb 16 16:01:29 2025 UTC