Novell\'s security mascotI just discovered a brand new flawed behavior in one of Novell's flagship products: Novell eDirectory

Which result would you expect from a LDAP server when performing a LDAP bind with a valid DN and an empty password. The DN has a password assigned in the DIT.

"Bind refused" you say? Sure, if your are using OpenLDAP this would be the correct answer, but eDirectory just switches to an anonymous bind because of the empty password. The funny thing is, this can not be turned off anywhere, nor is it documented other than in a single sentence in the Novel LDAP Guide. One can just turn off anonymous binds entirely which renders a lot of applications unuseable when they don't implement proxy binds.

Now lets take an application that checks users against LDAP by trying to bind them. To the application the bind with the empty password succeeds, it has no way of figuring out, if the bind was anonymous or a real bind to the DN. Voila, there you have a security hole in most apps that use LDAP to perform authentication. Just leave the password field blank ... No more need for bruteforce or social engineering.

You suck like a f*cking black hole at security, Novell!