The following issue has been RESOLVED.
======================================================================
http://dbmail.org/mantis/view.php?id=662
======================================================================
Reported By: vugluskr
Assigned To:
======================================================================
Project: DBMail
Issue ID: 662
Category: Authentication layer
Reproducibility: always
Severity: major
Priority: normal
Status: resolved
target:
Resolution: fixed
Fixed in Version: 2.2.9
======================================================================
Date Submitted: 16-Dec-07 18:10 CET
Last Modified: 16-Dec-07 23:14 CET
======================================================================
Summary: Ability to bypass authentication.
Description:
There is security hole in auth procedure. When used authldap module and on
LDAP server enabled anonymous login any user can login in any account
using as password empty string.
h000 ~ # telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK dbmail imap (protocol version 4r1) server 2.2 ready to run
a login [EMAIL PROTECTED] ""
a OK LOGIN completed
a logout
* BYE dbmail imap server kisses you goodbye
a OK completed
Connection closed by foreign host.
On pop3 protocol I was not able to use this vulnerability. I don't know
how send empty password via pop3 protocol.
h000 ~ # telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK DBMAIL pop3 server ready to rock
<[EMAIL PROTECTED]>
user [EMAIL PROTECTED]
+OK Password required for [EMAIL PROTECTED]
pass
-ERR your command does not compute
pass ""
-ERR username/password incorrect
quit
+OK see ya later
Connection closed by foreign host.
The root of the problem in use of function ldap_bind_s
int ldap_bind_s(LDAP *ld, const char *who, const char *cred,
int method);
If "cred" argument is "", ldap library try to authenticate as anonymous...
and bind return success. So dbmail let user to come in to mailbox.
modules/authldap.c:1263
if (ldap_err) {
TRACE(TRACE_ERROR, "ldap_bind_s failed: %s",
ldap_err2string(ldap_err));
*user_idnr = 0;
} else {
db_user_log_login(*user_idnr);
}
There is a path to fix this issue in attach.
PS: The LDAP is AD on win2k3 server.
======================================================================
----------------------------------------------------------------------
paul - 16-Dec-07 22:55
----------------------------------------------------------------------
Yes. This *only* affects AD, not openldap. I seem to remember fixing this
some time ago. Looks like a regression or I'm having serious deja-vu here
:-(
----------------------------------------------------------------------
paul - 16-Dec-07 23:14
----------------------------------------------------------------------
Patch accepted. Thanks.
Issue History
Date Modified Username Field Change
======================================================================
16-Dec-07 18:10 vugluskr New Issue
16-Dec-07 18:10 vugluskr File Added: dbmail-2.2.7-ldap_anonbind.patch
16-Dec-07 22:55 paul Note Added: 0002451
16-Dec-07 23:14 paul Note Added: 0002452
16-Dec-07 23:14 paul Status new => resolved
16-Dec-07 23:14 paul Resolution open => fixed
16-Dec-07 23:14 paul Fixed in Version => 2.2.9
======================================================================
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://twister.fastxs.net/mailman/listinfo/dbmail-dev
