First Last Prev Next    This bug is not in your last search results.
Bug 51903 - UCS user authentication takes place after the "PW expired" check
UCS user authentication takes place after the "PW expired" check
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-6-errata
Assigned To: Felix Botner
Julia Bremer
:
Depends on: 43384
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-25 14:18 CEST by Marc Schwarz
Modified: 2020-10-07 14:32 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Regression, Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Schwarz univentionstaff 2020-08-25 14:18:07 CEST 
univention-app info
UCS: 4.4-5 errata712
Installed: adconnector=12.0 itslearning=3.2 self-service=4.0 self-service-backend=4.0 ucs-to-school-transformer=1.3.2 ucsschool=4.4 v6 ucssc
Upgradable: ucsschool-kelvin-rest-api


Despite the incorrect entry of the password, the message "Your password has expired. Please change your password and log in again" is displayed when a user logs in for whom the flag "User must change the password at the next login" is set .
If the password is entered incorrectly, the user should receive a message stating that the login data is incorrect.
Comment 1 Florian Best univentionstaff 2020-09-09 13:10:22 CEST 
This only applies to the SAML login and was introduced in git:174254e04b288cee5f7799adb4ddfbce4b536573 (Bug #43384)
Comment 3 Ingo Steuwer univentionstaff 2020-09-09 17:41:21 CEST 
I don't see a security risk here. It is a usability issue, though.
Comment 4 Florian Best univentionstaff 2020-09-09 17:43:23 CEST 
(In reply to Ingo Steuwer from comment #3)
> I don't see a security risk here. It is a usability issue, though.

With the knowledge of a username one can find out if the user is expired or disabled, without knowing its password.
Without any knowledge, one can brute force for usernames which are expired or disabled.
Comment 5 Felix Botner univentionstaff 2020-09-23 14:11:55 CEST 
r19153 - simplesamlphp
 added simplesamlphp/4.4-0-0-ucs/1.16.3-1+deb10u1-errata4.4-6/06_extended_error.quilt to expose the LDAP extended error message

58a608cc20c0d412a95932c7097c65ebdcd47037 - simplesamlphp.yaml

f6380357f1344b9dc8b3b38585e66a910342a26f - univention-saml
 in case of WRONGUSERPASS check for password change only if extended error 
 indicates password/account has expired

400b07f12888a7cfd8fdfb4df50b08ecbce8ee14 - univention-saml.yaml

8488effd72ff97027a0a196cf2f4cce68fd3f70e - ucs-test 
 extended 10_saml_password_expire and 11_saml_user_expire

QA please re-open after successful QA for merge to 5.0
Comment 6 Julia Bremer univentionstaff 2020-09-29 09:30:58 CEST 
Test failed on s4 member since creation, because the login was checked before the new test user was added in the masters samba database.

1069894f34fff516a9b02dff7ec185ab8bfd677b seems to have fixed this for now
See Bug #52145
Comment 7 Julia Bremer univentionstaff 2020-09-29 15:37:29 CEST 
What I tested: 
SAML/UMC login with/without Samba: False password is detected, User is not instructed to change the password OK

SAML/UMC login with user from AD domain: False password is detected, User is not instructed to change the password OK

Tests: OK
YAML: OK

VERIFIED

Reopen: Create merge-request for 5.0
Comment 8 Felix Botner univentionstaff 2020-09-29 16:43:15 CEST 
Merge Request: https://git.knut.univention.de/univention/ucs/-/merge_requests/4
f6380357f1344b9dc8b3b38585e66a910342a26f
8488effd72ff97027a0a196cf2f4cce68fd3f70e
1069894f34fff516a9b02dff7ec185ab8bfd677b

patch: r19158, package built in UCS5
Comment 9 Julia Bremer univentionstaff 2020-09-29 17:08:07 CEST 
Ok merge request created, simplesamlphp built in ucs5
First Last Prev Next    This bug is not in your last search results.