From 1dcd44fcf96f3771aa3cc2e3d28e678fc318fff5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Andriot?= Date: Tue, 18 Nov 2025 12:04:44 +0100 Subject: [PATCH] Security issue: do not store LDAP passwords in MySQL database --- src/include/functions_users.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/include/functions_users.php b/src/include/functions_users.php index b84cabe..0b87406 100644 --- a/src/include/functions_users.php +++ b/src/include/functions_users.php @@ -388,8 +388,8 @@ function CheckLDAPUserLogin( $username, $password ) // for the moment when a user logs in from LDAP, create it in the DB. // then the prefs and group management is done in the DB and we don't rewrite the whole Loganalyzer code… - /* DB_RemoveBadChars() needs to be done here to maintain backwards compatibility even if it is not needed here*/ - $md5pass = md5(DB_RemoveBadChars($password)); + /* Don't store LDAP passwords in database */ + $md5pass = ''; // check if the user already exist $sqlquery = "SELECT * FROM `" . DB_USERS . "` WHERE username = '" . $username . "'";