Possible Net::LDAP Vulnerability

Note: this may not be a Net::LDAP vulnerability, but it may be a
general usage vulnerability for authenticating against ADS.

Using Net::LDAP to authenticate users in a Rails application against
Active Directory will allow valid usernames and blank passwords to
authenticate as the username.

With the following method in the user class:

1 def User.ads_login(params)
2 ldap = Net::LDAP.new
4 ldap.host = “dc.example.com
5 ldap.port = 389
7 ldap.auth “#{params[:username]}@example.com”, params[:password]
9 if ldap.bind
10 #{ do something with ldap here }
11 end
12 end

If params[:username] = “validusername” and params[:password].blank? the
above “ldap.bind” on line 9 will return true.

I don’t know the AD configuration, but I do know that it is repeatable
inside of Rails 1.2.3 with Net::LDAP 0.0.4 and my ADS environment.