Note: this may not be a Net::LDAP vulnerability, but it may be a
general usage vulnerability for authenticating against ADS.
Using Net::LDAP to authenticate users in a Rails application against
Active Directory will allow valid usernames and blank passwords to
authenticate as the username.
With the following method in the user class:
1 def User.ads_login(params)
2 ldap = Net::LDAP.new
3
4 ldap.host = “dc.example.com”
5 ldap.port = 389
6
7 ldap.auth “#{params[:username]}@example.com”, params[:password]
8
9 if ldap.bind
10 #{ do something with ldap here }
11 end
12 end
If params[:username] = “validusername” and params[:password].blank? the
above “ldap.bind” on line 9 will return true.
I don’t know the AD configuration, but I do know that it is repeatable
inside of Rails 1.2.3 with Net::LDAP 0.0.4 and my ADS environment.
Chris