Security Request: Change the default for anonymous binding from true to false

[jhowe-uw]

We are using phpLDAPadmin version 1.2.6.2.

By default, anonymous binding is enabled by default.

I believe this exposes the system to potential data exfiltration, especially when the system has a malformed, incorrect, or has incongruent LDAP ACL policies in relation to operational constraints.

However, this is an admin tool, and as such, should be hardened on an initial deploy.

We were recently graciously tagged offline by a security researcher ( selsel ), who was so kind to point out these weaknesses in our infrastructure via a Google Dork scan ( https://www.google.com/search?q=inurl:/phpldapadmin/cmd.php).

I propose the following code change:

# Set anonymous logging to false by default
$servers->setValue('login', 'anon_bind', false);

I believe this affects the following files:

config/config.php.example

lib/ds_ldap_pla.php

Thanks!