Possible LDAP Security Flaw.. feedback wanted.

Added by Marcus Schmidt almost 10 years ago

I just had a security scare where a user could login to Redmine without providing a password, just as long as the user existed in the database and was set to use LDAP authentication. With the help of few people more knowledgeable than myself, I believe has been resolved. What made this difficult to troubleshoot was that LDAP authentication worked correctly on a Mac (Mac OS X 10.5.2), but not on either of two RHEL 5 servers.

The problem itself seems to be related to Redmine successfully finding the user on the LDAP server and if found, allowing a blank password for successful authentication. Any characters entered in the password field (with the exception of the correct password) still result in an unsuccessful authentication.

To fix this issue, a colleague added the following piece of code to the User model, towards the beginning of self.try_to_login:

if password.empty?

  def self.try_to_login(login, password)
    user = find(:first, :conditions => ["login=?", login])

  def self.try_to_login(login, password)
    user = find(:first, :conditions => ["login=?", login])
    if password.empty?
      return nil
    end

Replies (4)

RE: Possible LDAP Security Flaw.. feedback wanted. - Added by Jean-Philippe Lang almost 10 years ago

I think it's the same issue as reported here: #714. It was fixed in r1169.

RE: Possible LDAP Security Flaw.. feedback wanted. - Added by John Goerzen almost 10 years ago

That seems to have happened after the 0.6.3 release was made.

I would strongly encourage an immediate 0.6.4 release and security announcement regarding this immediately. Otherwise people will be downloading and installing code that has known security vulnerabilities, unless they happen to follow trunk. Following trunk wouldn't exactly be the first instinct for someone deploying a web app on a production server, either.

I realize that you didn't duplicate the problem against openLDAP, but it seems to have bitten more than one person already.

Can't be too careful with security.

-- John

RE: Possible LDAP Security Flaw.. feedback wanted. - Added by Marcus Schmidt almost 10 years ago

I'm sorry. I forgot to mention this is with today's build, 1226, so I believe either it is unrelated or it has cropped up again. And as I said, this is on RHEL 5, likely a common platform for deployment.

Great package and keep up the brilliant work!!!

-marcus

RE: Possible LDAP Security Flaw.. feedback wanted. - Added by Jean-Philippe Lang almost 10 years ago

I can't see how it can happen with r1226 since AuthSourceLdap#authenticate was fixed this way in r1169:

def authenticate(login, password)
  return nil if login.blank? || password.blank?
  attrs = []
  # get user's DN
  ...

Anyway, fix is applied and a 0.6.4 should be released in the next hours.

(1-4/4)