Univention Bugzilla – Full Text Bug Listing |
Summary: | Self Service allows scanning for usernames | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | Self Service | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | best, troeder, walkenhorst |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 37890 | ||
Attachments: | Change reply to the same as with bad password. |
Description
Sönke Schwardt-Krummrich
2015-11-13 14:49:49 CET
Created attachment 7317 [details]
Change reply to the same as with bad password.
Forget that patch - it doesn't solve the problem. Fixed with commit 65892 (incl YAML). If an unknown username is provided, the error message is now the same as for users that have not (yet) registered a contact. The the last commit only get_reset_methods() was protected against scanning for usernames, but the other functions could be used in the same way. Commit 65893 changes that. Still possible in various ways: > curl 'http://10.200.27.30/univention-self-service/passwordreset/send_token' -H 'Accept-Language: en-US' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' --data-binary '{"username":"anton2","method":"foobar"}' {"message": "Unknown recovery method 'foobar'."} → user/mail address exists > curl 'http://10.200.27.30/univention-self-service/passwordreset/send_token' -H 'Accept-Language: en-US' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' --data-binary '{"username":"anton","method":"foobar"}' {"message": "No contact information to send a token for password recovery to has been found."} → user/mail address doesn't exists. get_reset_methods() is still vulnerable because you can expect a specific response for existing users. Requiring the password here would solve this. If you are able (due to a race condition and multiple module processes) to have mutliple tokens in the database you can also use set_password() to guess usernames. It's possible also to guess usernames because they are blacklisted. Every "Domain Administrator" username can therefore be gained. If the ldap server is down some exceptions are also providing information because you know in which lines LDAP operations are done (and not done if the user is okay). The implementation is also a little bit error prone to future adaptions because the string literals are copied. I took the bug and corrected all those points in svn r66116. Switching QA therefore. Code: OK: each method raises only one type of Exception (before user is authenticated) with each only one textual response Tests: OK * Ran for each USERNAME in {existing_user_without_contact, not_a_user, "", "@", "Administrator"}: curl -H "Content-Type: application/json" -H "Accept-Language: en_EN" -X POST -d '{"username": $USERNAME}' http://10.200.3.35/univention-self-service/passwordreset/get_reset_methods And the result was always the same: {"message": "No contact information is stored for this user. Resetting the password is not possible."} get_reset_methods() is still "vulnerable" in that existing users with stored contacts can be found - but that is by design (and is at least a little dampened by the request rate limiting). * The reply for all requests, if the LDAP server is down, is in all cases the same: {"message": "Cannot connect to the LDAP service.\nThe following steps can help...}. |