Possible LDAP Security Flaw.. feedback wanted.
I just had a security scare where a user could login to Redmine without providing a password, just as long as the user existed in the database and was set to use LDAP authentication. With the help of few people more knowledgeable than myself, I believe has been resolved. What made this difficult to troubleshoot was that LDAP authentication worked correctly on a Mac (Mac OS X 10.5.2), but not on either of two RHEL 5 servers.
The problem itself seems to be related to Redmine successfully finding the user on the LDAP server and if found, allowing a blank password for successful authentication. Any characters entered in the password field (with the exception of the correct password) still result in an unsuccessful authentication.
To fix this issue, a colleague added the following piece of code to the User model, towards the beginning of
def self.try_to_login(login, password) user = find(:first, :conditions => ["login=?", login])
def self.try_to_login(login, password) user = find(:first, :conditions => ["login=?", login]) if password.empty? return nil end
That seems to have happened after the 0.6.3 release was made.
I would strongly encourage an immediate 0.6.4 release and security announcement regarding this immediately. Otherwise people will be downloading and installing code that has known security vulnerabilities, unless they happen to follow trunk. Following trunk wouldn't exactly be the first instinct for someone deploying a web app on a production server, either.
I realize that you didn't duplicate the problem against openLDAP, but it seems to have bitten more than one person already.
Can't be too careful with security.
I'm sorry. I forgot to mention this is with today's build, 1226, so I believe either it is unrelated or it has cropped up again. And as I said, this is on RHEL 5, likely a common platform for deployment.
Great package and keep up the brilliant work!!!