LDAP sign-in accepts blank passwords as valid
Created by: BHSPitMonkey
Using the LDAP/omniauth functionality, I seem to be able to illegitimately sign in as any user by simply providing their username and leaving the password field blank at the login page. Providing an incorrect (but non-blank) password correctly results in a "Invalid Credentials" message, but leaving the password completely blank results in a successful authentication. This is a very critical problem for LDAP users!
Is anyone else able to recreate this behavior?