Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.3.4 (Beta), 1.3.6
-
None
Description
Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give an empty password you get access to continuum.
I've created a patch for the redback issue and applied this to our continuum instance, and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6 uses redback-authentication-ldap version 1.2.3).
I hope the redback developers will integrate the patch. If not, continuum should check for empty password and fail before trying the LDAP authenticator.