php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #62363 Lack of warning about anon. bind
Submitted: 2012-06-19 07:11 UTC Modified: 2017-01-09 06:45 UTC
From: gewalopdrbat at gmail dot com Assigned:
Status: Not a bug Package: LDAP related
PHP Version: 5.4.4 OS: Windows 7, Ubuntu 12.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: gewalopdrbat at gmail dot com
New email:
PHP Version: OS:

 

 [2012-06-19 07:11 UTC] gewalopdrbat at gmail dot com 
Description:
------------
Most of the cases where a security concern or a possibility unexpected behavior are happily mentioned in the PHP documentation as WARNINGS or NOTES.
This case is very critical because many times the ldap_bind() function is used as in the Case 1 (see test script).
According the https://tools.ietf.org/html/rfc4513#section-5.1.2 , Clients MUST check for empty passwords to avoid successful bind when the username is valid (I've also tested the username '*', and it produced a successful bind).
It would be very nice to change the behavior of ldap_bind() and add a parameter to explicitly allow anonymous binding or at least mention the Case 2 in the examples (see test script).

Test script:
---------------
#Case 1 Code
if (ldap_bind($ds, $rdn, $password)){
       //reveal secret stuff
}

#Case 2 Code
if (!empty($password) || $password != null) {
       if (ldap_bind($ds, escapeLDAP($rdn, 'dn'), $password)) {
            //reveal secret stuff
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 09:05 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2017-01-09 06:45 UTC] heiglandreas@php.net
-Status: Open +Status: Not a bug
 [2017-01-09 06:45 UTC] heiglandreas@php.net 
This issue is targeting a deprecated version of PHP. And as ldap_bind is per RFC 2251 doing an anonymous bind when the password is left empty that's not a behaviour that should trigger a warning as it's the defined behaviour. And as it results in an anonymous bind it's not a security issue. 

You are right in that this behaviour should be reflected in the docs though!

So I'm closing this issue here now.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 03:01:29 2024 UTC