Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001293PacketFencesecuritypublic2011-10-03 11:422011-10-24 20:17
Assigned Toobilodeau 
PlatformOSOS Version
Product Versiondevel 
Target Version3.0.2Fixed in Version3.0.2 
Summary0001293: Issues with LDAP-based authentication in web administration interface (login.php)
DescriptionThere are two issues with LDAP-based authentication in the web administration interface (in script html/admin/login.php), which may allow an attacker access under certain system setups:

The user-supplied username is not escaped before being interpolated into the LDAP search filter used for authentication, leading to weaker security. For example, a username with a "*" character could be used to perform a substring- or presence-based match on the username LDAP attribute, instead of equality-based. This could help an attacker use a valid username without needing to know of one beforehand.

The user-supplied password is not checked to see if it is nonempty; the isset function used in check_password will still return true on an empty password. This leads to the ability to perform unauthenticated binds (if they are enabled on the LDAP server), allowing an attacker to 'authenticate' into the web administration interface without needing a valid password.
TagsNo tags attached.
fixed in git revision
fixed in mtn revision040493ea147330b41fd2b19d1c3cc1cf8c8d6929
Attached Filespatch file icon security-fix-1293-ldap-anonymous-bind.patch [^] (939 bytes) 2011-10-12 11:00 [Show Content]
patch file icon security-fix-1293-ldap-injection.patch [^] (799 bytes) 2011-10-12 15:01 [Show Content]
patch file icon security-fix-1293-anonymous-bind-pf19.patch [^] (1,777 bytes) 2011-10-24 11:27 [Show Content]

- Relationships
related to 0001209closedobilodeau problematic password validation 

-  Notes
obilodeau (reporter)
2011-10-12 14:31

Fixed the auth bypass with empty password. The patch is a simpler version of the real fix, since I wanted error reporting not to break layout.

I feel very bad about this one, especially since we knew about the possibility and thought we were defended against it. Turns out we misinterpreted this:

"If bind_rdn and bind_password are not specified, an anonymous bind is attempted." from [^]

By thinking that if we were passing an empty string this would could as being specified. Yes! I am blaming it on the manual! ;)

This first fix is committed in revno: d0aba756a3e8ff9002c0dd9be1885ea6d38ea0ff
obilodeau (reporter)
2011-10-12 15:07

Fixed LDAP injection issue. Applying strict rules on what type of usernames are allowed.

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 2.2.0+. Patches for earlier versions can be provided on request.
obilodeau (reporter)
2011-10-17 10:39

LDAP Authentication bypass has been assigned CVE-2011-4068.

LDAP Injection has been assigned CVE-2011-4069.
obilodeau (reporter)
2011-10-24 13:08

Additional change *not* in the attached patch but in upcoming 3.0.2: allowing dot (.) in username.

Just change regexp to:
  if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)\.]+$/", $input) && strlen($input) <= 15){

obilodeau (reporter)
2011-10-24 20:15

fix released in 3.0.2

- Issue History
Date Modified Username Field Change
2011-10-03 11:42 mattd New Issue
2011-10-06 11:46 obilodeau Status new => assigned
2011-10-06 11:46 obilodeau Assigned To => obilodeau
2011-10-12 11:00 obilodeau File Added: security-fix-1293-ldap-anonymous-bind.patch
2011-10-12 14:31 obilodeau Note Added: 0002337
2011-10-12 15:01 obilodeau File Added: security-fix-1293-ldap-injection.patch
2011-10-12 15:07 obilodeau mtn revision => 040493ea147330b41fd2b19d1c3cc1cf8c8d6929
2011-10-12 15:07 obilodeau Note Added: 0002338
2011-10-12 15:07 obilodeau Status assigned => resolved
2011-10-12 15:07 obilodeau Fixed in Version => +1
2011-10-12 15:07 obilodeau Resolution open => fixed
2011-10-12 15:07 obilodeau Relationship added related to 0001209
2011-10-17 10:39 obilodeau Note Added: 0002364
2011-10-24 11:27 dwuelfrath File Added: security-fix-1293-anonymous-bind-pf19.patch
2011-10-24 13:08 obilodeau Note Added: 0002377
2011-10-24 16:45 obilodeau View Status private => public
2011-10-24 20:15 obilodeau Target Version => 3.0.2
2011-10-24 20:15 obilodeau Note Added: 0002385
2011-10-24 20:16 obilodeau Status resolved => closed
2011-10-24 20:17 obilodeau Fixed in Version +1 => 3.0.2

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker