Hello people,
We're running SIT 3.50 wih LDAP authentication (Novell edir).
BIG problem that i discovered is that i can login without password on any user accept for admin... With password I can login on the SIT system, wrong password isn't accepted, but leave the password blank I can login in every user (accept admin) on the SIT system.
I've just find out this morning, because I never tried to login without password. But is there anyone who also has this problem???
With kind regards,
Remco
Login without password possible?! Security issue!!!
8 posts
• Page 1 of 1
Login without password possible?! Security issue!!!
by Remco_H » Wed Jan 20, 2010 2:12 pm
- Remco_H
- Lurker
- Posts: 2
- Joined: Wed Jan 20, 2010 1:46 pm
Re: Login without password possible?! Security issue!!!
by lee.todis » Wed Jan 20, 2010 4:11 pm
I can confirm this. I can login in the same scenario. If I enter a wrong password, then I cannot login, but blank password and I am in as well.
Yeah, this is a huge problem. I even tried it with a machine that has no caching on it.
Someone???
Yeah, this is a huge problem. I even tried it with a machine that has no caching on it.
Someone???
- lee.todis
- Community Contributor
- Posts: 42
- Joined: Fri Oct 30, 2009 2:38 pm
Re: Login without password possible?! Security issue!!!
by ivanlucas » Wed Jan 20, 2010 6:55 pm
Hi Guys,
I've logged this as a bug (1047) and given it the highest priority, I'm not in a position to test this right this moment since I don't have a directory here with me but as you say it's potentially a huge issue.
Since this is so serious, if you want an immediate work-around to make your systems safe you can insert the following line of code into your lib/functions.inc.php file at line 152 (assuming you're running v3.50)
This will ensure it's never possible to login with an empty password. A proper fix will be included with 3.51 after we've had time to investigate this properly.
Thanks for reporting this! Wow what a shocker.
All the best,
Ivan
I've logged this as a bug (1047) and given it the highest priority, I'm not in a position to test this right this moment since I don't have a directory here with me but as you say it's potentially a huge issue.
Since this is so serious, if you want an immediate work-around to make your systems safe you can insert the following line of code into your lib/functions.inc.php file at line 152 (assuming you're running v3.50)
- Code: Select all
if (empty($password)) return false;
This will ensure it's never possible to login with an empty password. A proper fix will be included with 3.51 after we've had time to investigate this properly.
Thanks for reporting this! Wow what a shocker.
All the best,
Ivan
Ivan Lucas, Project Lead, Support Incident Tracker (SiT!) GPL. ......... Chat live on irc, #sit on freenode.
Help free software: Make a donation to the SiT! project or Join the Free Software Foundation as an Associate Member.
Help free software: Make a donation to the SiT! project or Join the Free Software Foundation as an Associate Member.
-
ivanlucas - SiT! Developer
- Posts: 930
- Joined: Sun Feb 01, 2009 9:49 pm
- Location: Derbyshire, UK
Re: Login without password possible?! Security issue!!!
by paulheaney » Wed Jan 20, 2010 8:59 pm
Hi,
After some testing this appears to be caused how now eDirectory (and possibly other directories) handle binds without a password (as anonymous) thus SiT sees a successful auth and lets you in.
In 3.51 we now enforce a username AND a password a patch is available at http://bugs.sitracker.org/file_download ... 5&type=bug and the full patched functions.inc.php is available at http://bugs.sitracker.org/file_download ... 6&type=bug
Paul
After some testing this appears to be caused how now eDirectory (and possibly other directories) handle binds without a password (as anonymous) thus SiT sees a successful auth and lets you in.
In 3.51 we now enforce a username AND a password a patch is available at http://bugs.sitracker.org/file_download ... 5&type=bug and the full patched functions.inc.php is available at http://bugs.sitracker.org/file_download ... 6&type=bug
Paul
- paulheaney
- SiT! Developer
- Posts: 116
- Joined: Sun Feb 01, 2009 9:49 pm
Re: Login without password possible?! Security issue!!!
by paulheaney » Wed Jan 20, 2010 9:14 pm
Hi,
Patch for this issue is here as well, if you change to <sit root>/lib and run "patch < bug1047.diff"
Any problems let me know.
Cheers
Paul
Patch for this issue is here as well, if you change to <sit root>/lib and run "patch < bug1047.diff"
Any problems let me know.
Cheers
Paul
- Attachments
-
bug1047.diff- Patch for the issue
- (9.92 KiB) Downloaded 34 times
- paulheaney
- SiT! Developer
- Posts: 116
- Joined: Sun Feb 01, 2009 9:49 pm
Re: Login without password possible?! Security issue!!!
by lee.todis » Wed Jan 20, 2010 9:22 pm
Patch applied and tested.
Works as intended now, cannot login without password now.
Thank you for the FAST work!!
Works as intended now, cannot login without password now.
Thank you for the FAST work!!
- lee.todis
- Community Contributor
- Posts: 42
- Joined: Fri Oct 30, 2009 2:38 pm
Re: Login without password possible?! Security issue!!!
by Remco_H » Thu Jan 21, 2010 8:55 am
Hello,
Applied the patch to, is working fine now. Thanks for the fast responses and patch work!!!!
Regards,
Remco
Applied the patch to, is working fine now. Thanks for the fast responses and patch work!!!!
Regards,
Remco
- Remco_H
- Lurker
- Posts: 2
- Joined: Wed Jan 20, 2010 1:46 pm
Re: Login without password possible?! Security issue!!!
by paulheaney » Thu Jan 21, 2010 12:19 pm
Hi Remco,
Glad the fix worked for you as well.
Cheers
Paul
Glad the fix worked for you as well.
Cheers
Paul
- paulheaney
- SiT! Developer
- Posts: 116
- Joined: Sun Feb 01, 2009 9:49 pm
8 posts
• Page 1 of 1
Return to Installing, Configuring and Using SiT!
Who is online
Users browsing this forum: No registered users and 2 guests