continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frederic (JIRA)" <j...@codehaus.org>
Subject [jira] Created: (CONTINUUM-2543) LDAP integration and empty passwords
Date Fri, 02 Jul 2010 12:35:32 GMT
LDAP integration and empty passwords
------------------------------------

                 Key: CONTINUUM-2543
                 URL: http://jira.codehaus.org/browse/CONTINUUM-2543
             Project: Continuum
          Issue Type: Bug
          Components: Security, Web - Security
    Affects Versions: 1.3.6, 1.3.4 (Beta)
            Reporter: Frederic


Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security
problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give
an empty password you get access to continuum.
I've created a patch for the redback issue and applied this to our continuum instance, and
the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of
redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4).
But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum
1.3.6 uses redback-authentication-ldap version 1.2.3).

I hope the redback developers will integrate the patch. If not, continuum should check for
empty password and fail before trying the LDAP authenticator.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message