Description

Logged in by LDAP will lead to a weak-password initialization，

<?php
            ...
                if ($ldap_user == $username) {
                    //如果该用户不在数据库里，则帮助其注册
                    $userInfo = D("User")->isExist($username) ; 
                    if(!$userInfo){ 
                        D("User")->register($ldap_user,$ldap_user.time()); //【register with a weak password, such as :  tom/tom1637248826】
                    }
                    $rs2=ldap_bind($ldap_conn, $dn , $password);//【when the LDAP password is WRONG，no password change will be implemented】
                    if ($rs2) {//如果该用户不在数据库里，则帮助其注册
                       D("User")->updatePwd($userInfo['uid'], $password);
                       return $this->checkLogin($username,$password);
                    }
                }
            }

Proof of Concept

1）If there is a valid LDAP user , let’s say named tom, once he activated his account( such as logged with a WRONG password: such tom/123456)

2）Then， a record will be add to the Database ( by D("User ")->register($ldap_user,$ldap_user.time());), with a password like tom1637248826, but the change of password D("User")->updatePwd($ won’t work

3）Because we all know that the password is like tom.time(), and time() is one kind of pseudo-random number, we could easily use brute force tool (such as Burp Intruder) to got it.

4）Thus in this situation，an attacker could brute force the password of tom’s, until getting the password of tom1637248826

 if ($rs2) {//如果该用户不在数据库里，则帮助其注册
                       D("User")->updatePwd($userInfo['uid'], $password);
                       return $this->checkLogin($username,$password);
                    }

Impact

This vulnerability is capable of：
compromise a user by brute force his/her password in certain situation（log with a valid LDAP username but WRONG password）