0001047: Possible to login with blank password when LDAP is enabled

--- functions.inc.php 2009-10-24 12:59:42.055547388 +0100 +++ functions.inc.php 2010-01-20 20:48:11.411473429 +0000 @@ -149,73 +149,80 @@ { global $CONFIG; $toReturn = false; - - $sql = "SELECT id, password, status, user_source FROM `{$GLOBALS['dbUsers']}` WHERE username = '{$username}'"; - $result = mysql_query($sql); - if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING); - if (mysql_num_rows($result) == 1) - { - // Exist in SiT DB - $obj = mysql_fetch_object($result); - if ($obj->user_source == 'sit') - { - if (md5($password) == $obj->password AND $obj->status != 0) $toReturn = true; - else $toReturn = false; - } - elseif ($obj->user_source == 'ldap') - { - // Auth against LDAP and sync - $toReturn = authenticateLDAP($username, $password, $obj->id); - if ($toReturn === -1) - { - // Communication with LDAP server failed - if ($CONFIG['ldap_allow_cached_password']) - { - // Use cached password - if (md5($password) == $obj->password AND $obj->status != 0) $toReturn = true; - else $toReturn = false; - } - else - { - $toReturn = false; - } - } - elseif ($toReturn) - { - $toReturn = true; - } - else - { - $toReturn = false; - } - } - } - elseif (mysql_num_rows($result) > 1) + + if (!empty($username) AND !empty($password)) { - // Multiple this should NEVER happen - trigger_error("Username not unique", E_USER_ERROR); - $toReturn = false; + $sql = "SELECT id, password, status, user_source FROM `{$GLOBALS['dbUsers']}` WHERE username = '{$username}'"; + $result = mysql_query($sql); + if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING); + if (mysql_num_rows($result) == 1) + { + // Exist in SiT DB + $obj = mysql_fetch_object($result); + if ($obj->user_source == 'sit') + { + if (md5($password) == $obj->password AND $obj->status != 0) $toReturn = true; + else $toReturn = false; + } + elseif ($obj->user_source == 'ldap') + { + // Auth against LDAP and sync + $toReturn = authenticateLDAP($username, $password, $obj->id); + if ($toReturn === -1) + { + // Communication with LDAP server failed + if ($CONFIG['ldap_allow_cached_password']) + { + // Use cached password + if (md5($password) == $obj->password AND $obj->status != 0) $toReturn = true; + else $toReturn = false; + } + else + { + $toReturn = false; + } + } + elseif ($toReturn) + { + $toReturn = true; + } + else + { + $toReturn = false; + } + } + } + elseif (mysql_num_rows($result) > 1) + { + // Multiple this should NEVER happen + trigger_error("Username not unique", E_USER_ERROR); + $toReturn = false; + } + else + { + // Don't exist, check LDAP etc + if ($CONFIG['use_ldap']) + { + $toReturn = authenticateLDAP($username, $password); + if ($toReturn === -1) $toReturn = false; + } + } + + if ($toReturn) + { + journal(CFG_LOGGING_MAX,'User Authenticated',"{$username} authenticated from " . getenv('REMOTE_ADDR'),CFG_JOURNAL_LOGIN,0); + debug_log ("Authenticate: User authenticated",TRUE); + } + else + { + debug_log ("authenticate: User NOT authenticated",TRUE); + } } else { - // Don't exist, check LDAP etc - if ($CONFIG['use_ldap']) - { - $toReturn = authenticateLDAP($username, $password); - if ($toReturn === -1) $toReturn = false; - } - } - - if ($toReturn) - { - journal(CFG_LOGGING_MAX,'User Authenticated',"{$username} authenticated from " . getenv('REMOTE_ADDR'),CFG_JOURNAL_LOGIN,0); - debug_log ("Authenticate: User authenticated",TRUE); - } - else - { - debug_log ("authenticate: User NOT authenticated",TRUE); + debug_log ("Blank username or password for user thus denying access"); + $toReturn = false; } - return $toReturn; } @@ -227,72 +234,80 @@ global $CONFIG; $toReturn = false; - $sql = "SELECT id, password, contact_source, active FROM `{$GLOBALS['dbContacts']}` WHERE username = '{$username}'"; - $result = mysql_query($sql); - if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING); - if (mysql_num_rows($result) == 1) + if (!empty($username) AND !empty($password)) { - debug_log ("Authenticate: Just one contact in db"); - // Exists in SiT DB - $obj = mysql_fetch_object($result); - if ($obj->contact_source == 'sit') - { - if ((md5($password) == $obj->password OR $password == $obj->password) AND $obj->active == 'true') $toReturn = true; - else $toReturn = false; - } - elseif ($obj->contact_source == 'ldap') - { - // Auth against LDAP and sync - $toReturn = authenticateLDAP($username, $password, $obj->id, false); - if ($toReturn === -1) - { - // Communication with LDAP server failed - if ($CONFIG['ldap_allow_cached_password']) - { - debug_log ("LDAP connection failed, using cached password"); - // Use cached password - if ((md5($password) == $obj->password OR $password == $obj->password) AND $obj->active == 'true') $toReturn = true; - else $toReturn = false; - debug_log ("Cached contact {$toReturn} {$password}"); - - } - else - { - debug_log ("Cached passwords are not enabled"); - $toReturn = false; - } - } - elseif ($toReturn) - { - $toReturn = true; - } - else - { - $toReturn = false; - } - } - else - { - debug_log ("Source SOMETHING ELSE this shouldn't happen'"); - $toReturn = false; - } - } - elseif (mysql_num_rows($result) > 1) - { - debug_log ("Multiple"); - // Multiple this should NEVER happen - trigger_error($GLOBALS['strUsernameNotUnique'], E_USER_ERROR); - $toReturn = false; + $sql = "SELECT id, password, contact_source, active FROM `{$GLOBALS['dbContacts']}` WHERE username = '{$username}'"; + $result = mysql_query($sql); + if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING); + if (mysql_num_rows($result) == 1) + { + debug_log ("Authenticate: Just one contact in db"); + // Exists in SiT DB + $obj = mysql_fetch_object($result); + if ($obj->contact_source == 'sit') + { + if ((md5($password) == $obj->password OR $password == $obj->password) AND $obj->active == 'true') $toReturn = true; + else $toReturn = false; + } + elseif ($obj->contact_source == 'ldap') + { + // Auth against LDAP and sync + $toReturn = authenticateLDAP($username, $password, $obj->id, false); + if ($toReturn === -1) + { + // Communication with LDAP server failed + if ($CONFIG['ldap_allow_cached_password']) + { + debug_log ("LDAP connection failed, using cached password"); + // Use cached password + if ((md5($password) == $obj->password OR $password == $obj->password) AND $obj->active == 'true') $toReturn = true; + else $toReturn = false; + debug_log ("Cached contact {$toReturn} {$password}"); + + } + else + { + debug_log ("Cached passwords are not enabled"); + $toReturn = false; + } + } + elseif ($toReturn) + { + $toReturn = true; + } + else + { + $toReturn = false; + } + } + else + { + debug_log ("Source SOMETHING ELSE this shouldn't happen'"); + $toReturn = false; + } + } + elseif (mysql_num_rows($result) > 1) + { + debug_log ("Multiple"); + // Multiple this should NEVER happen + trigger_error($GLOBALS['strUsernameNotUnique'], E_USER_ERROR); + $toReturn = false; + } + else + { + debug_log ("Authenticate: No matching contact '$username' found in db"); + // Don't exist, check LDAP etc + if ($CONFIG['use_ldap'] AND !empty($CONFIG['ldap_customer_group'])) + { + $toReturn = authenticateLDAP($username, $password, 0, false); + if ($toReturn === -1) $toReturn = false; + } + } } else { - debug_log ("Authenticate: No matching contact '$username' found in db"); - // Don't exist, check LDAP etc - if ($CONFIG['use_ldap'] AND !empty($CONFIG['ldap_customer_group'])) - { - $toReturn = authenticateLDAP($username, $password, 0, false); - if ($toReturn === -1) $toReturn = false; - } + debug_log ("Blank username or password for user thus denying access"); + $toReturn = false; } debug_log ("authenticateContact returning {$toReturn}");

Notes
(0002295) ivan (administrator) 2010-01-20 18:56 edited on: 2010-01-20 18:57	Since this is so serious, if you want an immediate work-around to make your systems safe you can insert the following line of code into your lib/functions.inc.php file at line 152 (assuming you're running v3.50) if (empty($password)) return false; This will ensure it's never possible to login with an empty password. A proper fix will be included with 3.51 after we've had time to investigate this properly.

(0002296) paulh (administrator) 2010-01-20 19:21	Confirm this is an issue

(0002298) paulh (administrator) 2010-01-20 19:42	Having worked though the code I've identified the source of this problem to be that eDirectory treats binds without a oassword as anonymous binds: 02:02:29 3E248950 LDAP: DoBind on connection 0xfb5a040 02:02:29 3E248950 LDAP: Treating simple bind with no password as anonymous 02:02:29 3E248950 LDAP: Bind name:NULL, version:3, authentication:simple 02:02:29 3E248950 LDAP: Sending operation result 0:"":"" to connection 0xfb5a040 Which in eDirectory isn't an issue as anonymous bound users are only able to see a limited set of attributes though SiT gets a status of 0 back (login successful) hence why we let the user in. Not sure of the best fix though suspecting the workaround Ivan posted is the best

(0002299) paulh (administrator) 2010-01-20 21:01	r6021 resolves this issue in 3.x and trunk also a patch and a patched functions.inc.php is available in this bug

(0002302) ivan (administrator) 2010-01-23 19:02	Fix released in v3.51 which is now available

Issue History
Date Modified	Username	Field	Change
2010-01-20 18:47	ivan	New Issue
2010-01-20 18:47	ivan	Tag Attached: security
2010-01-20 18:56	ivan	Note Added: 0002295
2010-01-20 18:56	ivan	Product Version	=> 3.50
2010-01-20 18:56	ivan	Target Version	=> 3.51
2010-01-20 18:57	ivan	Note Edited: 0002295	View Revisions
2010-01-20 19:21	paulh	Note Added: 0002296
2010-01-20 19:21	paulh	Status	new => confirmed
2010-01-20 19:28	kieran	Note Added: 0002297
2010-01-20 19:42	paulh	Note Added: 0002298
2010-01-20 19:56	kieran	Note Deleted: 0002297
2010-01-20 20:00	ivan	Sticky Issue	No => Yes
2010-01-20 20:42	paulh	Status	confirmed => assigned
2010-01-20 20:42	paulh	Assigned To	=> paulh
2010-01-20 20:55	paulh	File Added: bug1047.patch
2010-01-20 20:56	paulh	File Added: functions.inc.php
2010-01-20 21:01	paulh	Note Added: 0002299
2010-01-20 21:01	paulh	Status	assigned => resolved
2010-01-20 21:01	paulh	Resolution	open => fixed
2010-01-20 21:01	paulh	Fixed in Version	=> Current SVN
2010-01-23 19:01	ivan	Fixed in Version	Current SVN => 3.51
2010-01-23 19:02	ivan	Note Added: 0002302
2010-01-23 19:02	ivan	Status	resolved => closed
2010-01-27 21:42	ivan	Sticky Issue	Yes => No

Relationships