PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001293PacketFencesecuritypublic2011-10-03 11:422011-10-24 20:17
Reportermattd 
Assigned Toobilodeau 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target Version3.0.2Fixed in Version3.0.2 
fixed in git revision
fixed in mtn revision040493ea147330b41fd2b19d1c3cc1cf8c8d6929
Summary0001293: Issues with LDAP-based authentication in web administration interface (login.php)
DescriptionThere are two issues with LDAP-based authentication in the web administration interface (in script html/admin/login.php), which may allow an attacker access under certain system setups:

The user-supplied username is not escaped before being interpolated into the LDAP search filter used for authentication, leading to weaker security. For example, a username with a "*" character could be used to perform a substring- or presence-based match on the username LDAP attribute, instead of equality-based. This could help an attacker use a valid username without needing to know of one beforehand.

The user-supplied password is not checked to see if it is nonempty; the isset function used in check_password will still return true on an empty password. This leads to the ability to perform unauthenticated binds (if they are enabled on the LDAP server), allowing an attacker to 'authenticate' into the web administration interface without needing a valid password.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
related to 0001209closed obilodeau problematic password validation 
Attached Filespatch security-fix-1293-ldap-anonymous-bind.patch (939) 2011-10-12 11:00
https://www.packetfence.org/bugs/file_download.php?file_id=109&type=bug
patch security-fix-1293-ldap-injection.patch (799) 2011-10-12 15:01
https://www.packetfence.org/bugs/file_download.php?file_id=110&type=bug
patch security-fix-1293-anonymous-bind-pf19.patch (1,777) 2011-10-24 11:27
https://www.packetfence.org/bugs/file_download.php?file_id=115&type=bug
Issue History
Date ModifiedUsernameFieldChange
2011-10-03 11:42mattdNew Issue
2011-10-06 11:46obilodeauStatusnew => assigned
2011-10-06 11:46obilodeauAssigned To => obilodeau
2011-10-12 11:00obilodeauFile Added: security-fix-1293-ldap-anonymous-bind.patch
2011-10-12 14:31obilodeauNote Added: 0002337
2011-10-12 15:01obilodeauFile Added: security-fix-1293-ldap-injection.patch
2011-10-12 15:07obilodeaumtn revision => 040493ea147330b41fd2b19d1c3cc1cf8c8d6929
2011-10-12 15:07obilodeauNote Added: 0002338
2011-10-12 15:07obilodeauStatusassigned => resolved
2011-10-12 15:07obilodeauFixed in Version => +1
2011-10-12 15:07obilodeauResolutionopen => fixed
2011-10-12 15:07obilodeauRelationship addedrelated to 0001209
2011-10-17 10:39obilodeauNote Added: 0002364
2011-10-24 11:27dwuelfrathFile Added: security-fix-1293-anonymous-bind-pf19.patch
2011-10-24 13:08obilodeauNote Added: 0002377
2011-10-24 16:45obilodeauView Statusprivate => public
2011-10-24 20:15obilodeauTarget Version => 3.0.2
2011-10-24 20:15obilodeauNote Added: 0002385
2011-10-24 20:16obilodeauStatusresolved => closed
2011-10-24 20:17obilodeauFixed in Version+1 => 3.0.2

Notes
(0002337)
obilodeau   
2011-10-12 14:31   
Fixed the auth bypass with empty password. The patch is a simpler version of the real fix, since I wanted error reporting not to break layout.

I feel very bad about this one, especially since we knew about the possibility and thought we were defended against it. Turns out we misinterpreted this:

"If bind_rdn and bind_password are not specified, an anonymous bind is attempted." from http://www.php.net/manual/en/function.ldap-bind.php [^]

By thinking that if we were passing an empty string this would could as being specified. Yes! I am blaming it on the manual! ;)

This first fix is committed in revno: d0aba756a3e8ff9002c0dd9be1885ea6d38ea0ff
(0002338)
obilodeau   
2011-10-12 15:07   
Fixed LDAP injection issue. Applying strict rules on what type of usernames are allowed.

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 2.2.0+. Patches for earlier versions can be provided on request.
(0002364)
obilodeau   
2011-10-17 10:39   
LDAP Authentication bypass has been assigned CVE-2011-4068.

LDAP Injection has been assigned CVE-2011-4069.
(0002377)
obilodeau   
2011-10-24 13:08   
Additional change *not* in the attached patch but in upcoming 3.0.2: allowing dot (.) in username.

Just change regexp to:
  if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)\.]+$/", $input) && strlen($input) <= 15){
(0002385)
obilodeau   
2011-10-24 20:15   
fix released in 3.0.2