** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability
-- You received this bug notification because you are a member of C2C OERPScenario, which is subscribed to the OpenERP Project Group. https://bugs.launchpad.net/bugs/760301 Title: [6.0.2] users_ldap allows login with blank password Status in OpenERP Modules (addons): New Bug description: Allow users_ldap to create a user. Login as that user. If you give the wrong password it rejects you. If you leave the password blank it lets you in! Line 99 in users_ldap.py: if l.bind_s(dn, password): Basically, if you can bind you're in. According to this posting http://www.openldap.org/lists/openldap-software/200112/msg00178.html ldap is *designed* to allow an anonymous bind if the password is blank, so users_ldap *must* explicitly check for blank passwords itself. _______________________________________________ Mailing list: https://launchpad.net/~c2c-oerpscenario Post to : [email protected] Unsubscribe : https://launchpad.net/~c2c-oerpscenario More help : https://help.launchpad.net/ListHelp
