[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/session.php on line 2184: Array to string conversion
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4509: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3706)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4511: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3706)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4512: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3706)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4513: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3706)
Support Incident Tracker Forum • View topic - Login without password possible?! Security issue!!!

Login without password possible?! Security issue!!!

Discuss and get help installing, using and configuring SiT!

Login without password possible?! Security issue!!!

Postby Remco_H » Wed Jan 20, 2010 2:12 pm

Hello people,
We're running SIT 3.50 wih LDAP authentication (Novell edir).

BIG problem that i discovered is that i can login without password on any user accept for admin... With password I can login on the SIT system, wrong password isn't accepted, but leave the password blank I can login in every user (accept admin) on the SIT system.
I've just find out this morning, because I never tried to login without password. But is there anyone who also has this problem???

With kind regards,
Remco
Remco_H
Lurker
Lurker
 
Posts: 2
Joined: Wed Jan 20, 2010 1:46 pm

Re: Login without password possible?! Security issue!!!

Postby lee.todis » Wed Jan 20, 2010 4:11 pm

I can confirm this. I can login in the same scenario. If I enter a wrong password, then I cannot login, but blank password and I am in as well.

Yeah, this is a huge problem. I even tried it with a machine that has no caching on it.

Someone???
lee.todis
Community Contributor
Community Contributor
 
Posts: 42
Joined: Fri Oct 30, 2009 2:38 pm

Re: Login without password possible?! Security issue!!!

Postby ivanlucas » Wed Jan 20, 2010 6:55 pm

Hi Guys,

I've logged this as a bug (1047) and given it the highest priority, I'm not in a position to test this right this moment since I don't have a directory here with me but as you say it's potentially a huge issue.

Since this is so serious, if you want an immediate work-around to make your systems safe you can insert the following line of code into your lib/functions.inc.php file at line 152 (assuming you're running v3.50)

Code: Select all
if (empty($password)) return false;


This will ensure it's never possible to login with an empty password. A proper fix will be included with 3.51 after we've had time to investigate this properly.

Thanks for reporting this! Wow what a shocker.

All the best,

Ivan
Ivan Lucas, Project Lead, Support Incident Tracker (SiT!) GPL. ......... Chat live on irc, #sit on freenode.
Help free software: Make a donation to the SiT! project or Join the Free Software Foundation as an Associate Member.
User avatar
ivanlucas
SiT! Developer
SiT! Developer
 
Posts: 998
Joined: Sun Feb 01, 2009 9:49 pm
Location: Derbyshire, UK

Re: Login without password possible?! Security issue!!!

Postby paulheaney » Wed Jan 20, 2010 8:59 pm

Hi,

After some testing this appears to be caused how now eDirectory (and possibly other directories) handle binds without a password (as anonymous) thus SiT sees a successful auth and lets you in.

In 3.51 we now enforce a username AND a password a patch is available at http://bugs.sitracker.org/file_download ... 5&type=bug and the full patched functions.inc.php is available at http://bugs.sitracker.org/file_download ... 6&type=bug

Paul
paulheaney
SiT! Developer
SiT! Developer
 
Posts: 116
Joined: Sun Feb 01, 2009 9:49 pm

Re: Login without password possible?! Security issue!!!

Postby paulheaney » Wed Jan 20, 2010 9:14 pm

Hi,

Patch for this issue is here as well, if you change to <sit root>/lib and run "patch < bug1047.diff"

Any problems let me know.

Cheers
Paul
Attachments
bug1047.diff
Patch for the issue
(9.92 KiB) Downloaded 337 times
paulheaney
SiT! Developer
SiT! Developer
 
Posts: 116
Joined: Sun Feb 01, 2009 9:49 pm

Re: Login without password possible?! Security issue!!!

Postby lee.todis » Wed Jan 20, 2010 9:22 pm

Patch applied and tested.

Works as intended now, cannot login without password now.

Thank you for the FAST work!!
lee.todis
Community Contributor
Community Contributor
 
Posts: 42
Joined: Fri Oct 30, 2009 2:38 pm

Re: Login without password possible?! Security issue!!!

Postby Remco_H » Thu Jan 21, 2010 8:55 am

Hello,
Applied the patch to, is working fine now. Thanks for the fast responses and patch work!!!!

Regards,
Remco
Remco_H
Lurker
Lurker
 
Posts: 2
Joined: Wed Jan 20, 2010 1:46 pm

Re: Login without password possible?! Security issue!!!

Postby paulheaney » Thu Jan 21, 2010 12:19 pm

Hi Remco,

Glad the fix worked for you as well.

Cheers
Paul
paulheaney
SiT! Developer
SiT! Developer
 
Posts: 116
Joined: Sun Feb 01, 2009 9:49 pm

Re: Login without password possible?! Security issue!!!

Postby Craig Borten » Tue Oct 29, 2013 11:47 am

Hey, I am facing the very same problem here. I am running SIT v3.67 with LDAP authentication. The authentication fails for wrong password. But, on leaving the password field blank lets you log in! How to apply the patch?


________________________________
Outlook Tech Support
outlooksetting.com
Craig Borten
Just Arrived
Just Arrived
 
Posts: 1
Joined: Tue Oct 29, 2013 5:19 am

Re: Login without password possible?! Security issue!!!

Postby Tomse » Fri Nov 01, 2013 9:17 am

you might want to upgrade to latest version.

cheers
If you have a problem, give us enough info of what you have done, what is configured in relation to your question.
Enable debugging and post it's censored but relevant info. Don't forget to write which version of SiT you're running.
User avatar
Tomse
SiT! Developer
SiT! Developer
 
Posts: 1137
Joined: Fri Feb 20, 2009 10:51 am
Location: Somewhere near Copenhagen Denmark


Return to Installing, Configuring and Using SiT!

Who is online

Users browsing this forum: No registered users and 2 guests

cron