You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@continuum.apache.org by "Frederic (JIRA)" <ji...@codehaus.org> on 2010/07/02 14:35:32 UTC

[jira] Created: (CONTINUUM-2543) LDAP integration and empty passwords

LDAP integration and empty passwords
------------------------------------

                 Key: CONTINUUM-2543
                 URL: http://jira.codehaus.org/browse/CONTINUUM-2543
             Project: Continuum
          Issue Type: Bug
          Components: Security, Web - Security
    Affects Versions: 1.3.6, 1.3.4 (Beta)
            Reporter: Frederic


Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give an empty password you get access to continuum.
I've created a patch for the redback issue and applied this to our continuum instance, and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6 uses redback-authentication-ldap version 1.2.3).

I hope the redback developers will integrate the patch. If not, continuum should check for empty password and fail before trying the LDAP authenticator.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Closed: (CONTINUUM-2543) LDAP integration and empty passwords

Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.

     [ https://jira.codehaus.org/browse/CONTINUUM-2543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Maria Catherine Tan closed CONTINUUM-2543.
------------------------------------------

    Resolution: Fixed

REDBACK-248 is fixed in 1.3M1 which is what continuum trunk is using.

> LDAP integration and empty passwords
> ------------------------------------
>
>                 Key: CONTINUUM-2543
>                 URL: https://jira.codehaus.org/browse/CONTINUUM-2543
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security, Web - Security
>    Affects Versions: 1.3.4 (Beta), 1.3.6
>            Reporter: Frederic
>             Fix For: 1.4.1 (Beta)
>
>
> Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give an empty password you get access to continuum.
> I've created a patch for the redback issue and applied this to our continuum instance, and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6 uses redback-authentication-ldap version 1.2.3).
> I hope the redback developers will integrate the patch. If not, continuum should check for empty password and fail before trying the LDAP authenticator.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (CONTINUUM-2543) LDAP integration and empty passwords

Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/CONTINUUM-2543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brett Porter updated CONTINUUM-2543:
------------------------------------

    Fix Version/s: 1.4.1 (Beta)

> LDAP integration and empty passwords
> ------------------------------------
>
>                 Key: CONTINUUM-2543
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-2543
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security, Web - Security
>    Affects Versions: 1.3.4 (Beta), 1.3.6
>            Reporter: Frederic
>             Fix For: 1.4.1 (Beta)
>
>
> Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give an empty password you get access to continuum.
> I've created a patch for the redback issue and applied this to our continuum instance, and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6 uses redback-authentication-ldap version 1.2.3).
> I hope the redback developers will integrate the patch. If not, continuum should check for empty password and fail before trying the LDAP authenticator.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (CONTINUUM-2543) LDAP integration and empty passwords

Posted by "Inaki (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/CONTINUUM-2543?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=269022#action_269022 ] 

Inaki commented on CONTINUUM-2543:
----------------------------------

Tested version 1.3.7 with redback 1.2.6 and this is still happening!!!

> LDAP integration and empty passwords
> ------------------------------------
>
>                 Key: CONTINUUM-2543
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-2543
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security, Web - Security
>    Affects Versions: 1.3.4 (Beta), 1.3.6
>            Reporter: Frederic
>             Fix For: 1.4.1 (Beta)
>
>
> Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give an empty password you get access to continuum.
> I've created a patch for the redback issue and applied this to our continuum instance, and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6 uses redback-authentication-ldap version 1.2.3).
> I hope the redback developers will integrate the patch. If not, continuum should check for empty password and fail before trying the LDAP authenticator.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira