Previous versions of ldapmavis-mt mishandle zero-length user passwords for LDAP user authentication.
While some recent LDAP server implementations simply deny these requests, older servers may consider them as anonymous binds. If your setup uses ldapmavis-mt and your LDAP server permits anonymous binds with a DN set you might be at risk.
This issue affects ldapmavis-mt only. The script LDAP backends are safe.
There are several ways to remedy this issue:
Recommended: Upgrade to the current GIT, it comes with fixed code
Workaround A: Add a minimalistic script to reject zero-length passwords:
mavis module = external-mt {
script in {
if (defined $PASSWORD && $PASSWORD =~ /^$/) { set $RESULT = "NAK" return }
if (defined $PASSWDNEW && $PASSWDNEW =~ /^$/) { set $RESULT = "NAK" return }
}
# ...
exec = /usr/local/sbin/ldapmavis-mt
}
Workaround B: Switch to one of the script-based backends (mavis_tacplus-ng_ldap.pl/mavis_tacplus_ldap.pl/mavis_tacplus_ldap.py)
sanjmonkey Reporter
Previous versions of ldapmavis-mt mishandle zero-length user passwords for LDAP user authentication.
While some recent LDAP server implementations simply deny these requests, older servers may consider them as anonymous binds. If your setup uses ldapmavis-mt and your LDAP server permits anonymous binds with a DN set you might be at risk.
This issue affects ldapmavis-mt only. The script LDAP backends are safe.
There are several ways to remedy this issue:
Recommended: Upgrade to the current GIT, it comes with fixed code
Workaround A: Add a minimalistic script to reject zero-length passwords:
Workaround B: Switch to one of the script-based backends (mavis_tacplus-ng_ldap.pl/mavis_tacplus_ldap.pl/mavis_tacplus_ldap.py)