Note: this may not be a Net::LDAP vulnerability, but it may be a
general usage vulnerability for authenticating against ADS.
Using Net::LDAP to authenticate users in a Rails application against
Active Directory will allow valid usernames and blank passwords to
authenticate as the username.
With the following method in the user class:
1 def User.ads_login(params)
2 ldap = Net::LDAP.new
3
4 ldap.host = "dc.example.com"
5 ldap.port = 389
6
7 ldap.auth "#{params[:username]}@example.com", params[:password]
8
9 if ldap.bind
10 #{ do something with ldap here }
11 end
12 end
If params[:username] = "validusername" and params[:password].blank?
the
above "ldap.bind" on line 9 will return true.
I don''t know the AD configuration, but I do know that it is repeatable
inside of Rails 1.2.3 with Net::LDAP 0.0.4 and my ADS environment.
Chris
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---