Univention Bugzilla – Full Text Bug Listing |
Summary: | Don't pass command credentials via "$@" | ||
---|---|---|---|
Product: | UCS | Reporter: | Stefan Gohmann <gohmann> |
Component: | Join (univention-join) | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gulden, hahn, requate, steuwer |
Version: | UCS 5.0 | ||
Target Milestone: | UCS 5.0 | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=20611 https://forge.univention.org/bugzilla/show_bug.cgi?id=20610 |
||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | 7.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) | ||
Bug Depends on: | |||
Bug Blocks: | 53100, 53101 | ||
Attachments: | patch (git:fbest/31996-remove-bindpwd-joinscript-call) |
Description
Stefan Gohmann
2013-07-17 12:12:55 CEST
See Bug #24758 for an unsafe use in /usr/share/univention-lib/umc.sh Is this idea still relevant? At least it wasn't considered when migrating to bindpwdfile-API. This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you. We really should stop passing credentials via command line, which is trivial to exploit and can result into a complete security breach. Created attachment 10656 [details]
patch (git:fbest/31996-remove-bindpwd-joinscript-call)
Patch, which removes the possibility to pass --bindpwd=$plaintextpassword.
Developer reference should be checked as well. A release note entry should be added. univention-join (12.0.3-5) 6f30fbfcc4d8 | Bug #31996: remove support for --bindpwd credential passing release-notes-5.0-0-en.xml release-notes-5.0-0-de.xml changelog-5.0-0.xml 84649b296d28 | Bug #31996: remove support for --bindpwd credential passing UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug". |