BorisMorel
BIG Security issue ?
Hi,
I use this bundle to manage security of an application. There is something weird : when I try to connect with a login using a bad password, then login operation fails. But if I remove the password field from the DOM before submitting the identification form then the login operation succeed and I'm logged with the good ldap user (and his roles). Scary...
For information I use Active Directory.
Somebody can try and confirm (or not) this ? Thanks for your help.
Yep the bug seems to be the same...and sadly the last commit (master branch) doesn't solve it :(
Can you confirm ; because if (strlen($this->password) === 0) { works for me ...
This AD fish is very strange. Everyone can use ldap_search to authenticate on an other account without password.
I think that this bundle prevent this but it's not his role.
So I guess you confirm the case ? Me, I still do... I understand your surprise and I am also very annoyed because of this issue... Actually if you think this bundle doesn't have to prevent this behaviour, can you (or anybody reading this) just tell me how I can do it by myself still using your bundle : before it, after it or maybe with the event feature ?
Thx for your help.
Are you using the latest version ? Master branch.
Can you make a break point ; because for me without the password <input> in the DOM I return false.
public function auth()
{
xdebug_break();
if (strlen($this->password) === 0) {
return false;
}
Yes, I've checked my version, I am using the latest commit (e570724).
As you suggest, I have put a xdebug_break() in the code and this is results :
- if I log in with good login/password all is ok :+1:
- if I log in with a good login and an empty password all is still ok (the test returns false and I come back to the login form) :+1:
- if I remove the password field from the DOM before submit, this part of code is not executed ! The auth function and xdebug_break are never called...but I am logged in with the good user and all his roles ! :-1:
Do you see why this part of the code is not executed ? Is it because of the bundle logic, or because of symfony's ?
If you want me to do another tests, keep me in touch. Thx again.
@gyalamanchi, sorry to ask you this, but I've seen you use this bundle with Active Directory on a large company so maybe we have the same topology of architecture... Can you please try to log in to your symfony's application with a good user login but before submit, remove the password field from the Dom so the form will only send the login. Please just tell what is going on when you do this...Are you logged in or not ?
Thank you very much !
I'm using this bundle to connect to my ldpa server an already authentified user using kerberos. So I have just the uid, and I know the user is already authentified. Since last checkout of dev: master of this imag/bundle e570724 my code started to fail because of the addition of this:
if (strlen($this->password) === 0) { return false; }
(before I used checkout version 5677b63 and everything worked fine. I wonder if you could add some parameter to bypass this security control? (because in my case, users alre already authentified, I just want to get the information from ldap, and I also would like the user to be treated as authentified in symfony, and I'm too noob to know how to ask composer to install an especific checkout of a bundle) I am mainly commenting in case other users have the same issues I had. Well, anyway, thanks for this great bundle!
