Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.12.3 available

The official documentation can be found on https://wiki.ocsinventory-ng.org. Read it before asking your question.

Security Alert: LDAP accept credentials with empty password!

If you call the ldap_bind() with an empty password, the return value is true for an unauthenticated access. You find a nice article at http://stackoverflow.com/questions/13838324/ldap-authentication-in-php-authenticated-without-giving-a-password that describe the whole problem in all cases.

So the ldap.php at backend/AUTH/methode must be changed in line 45.

Old:
   if ($info["nbResultats"]!=1)

New:
   if (($info["nbResultats"]!=1)||($pw=='')||($info[0]["dn"]==''))
 

After that changes the access is denied if the user name or password is empty!

Martin

in OCS Inventory NG server for Unix by (140 points)

1 Answer

0 votes
Hi,

Thanks for the info. Which version of ocs server?

Regards

Frank
by (90.4k points)
 
Powered by Question2Answer
...