bugtrack
Sun, 16 Dec 2007 09:21:13 -0800
The following issue has been SUBMITTED. ====================================================================== http://dbmail.org/mantis/view.php?id=662 ====================================================================== Reported By: vugluskr Assigned To: ====================================================================== Project: DBMail Issue ID: 662 Category: Authentication layer Reproducibility: always Severity: major Priority: normal Status: new target: ====================================================================== Date Submitted: 16-Dec-07 18:10 CET Last Modified: 16-Dec-07 18:10 CET ====================================================================== Summary: Ability to bypass authentication. Description: There is security hole in auth procedure. When used authldap module and on LDAP server enabled anonymous login any user can login in any account using as password empty string.
h000 ~ # telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK dbmail imap (protocol version 4r1) server 2.2 ready to run
a login [EMAIL PROTECTED] ""
a OK LOGIN completed
a logout
* BYE dbmail imap server kisses you goodbye
a OK completed
Connection closed by foreign host.
On pop3 protocol I was not able to use this vulnerability. I don't know
how send empty password via pop3 protocol.
h000 ~ # telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK DBMAIL pop3 server ready to rock
<[EMAIL PROTECTED]>
user [EMAIL PROTECTED]
+OK Password required for [EMAIL PROTECTED]
pass
-ERR your command does not compute
pass ""
-ERR username/password incorrect
quit
+OK see ya later
Connection closed by foreign host.
The root of the problem in use of function ldap_bind_s
int ldap_bind_s(LDAP *ld, const char *who, const char *cred,
int method);
If "cred" argument is "", ldap library try to authenticate as anonymous...
and bind return success. So dbmail let user to come in to mailbox.
modules/authldap.c:1263
if (ldap_err) {
TRACE(TRACE_ERROR, "ldap_bind_s failed: %s",
ldap_err2string(ldap_err));
*user_idnr = 0;
} else {
db_user_log_login(*user_idnr);
}
There is a path to fix this issue in attach.
PS: The LDAP is AD on win2k3 server.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
16-Dec-07 18:10 vugluskr New Issue
16-Dec-07 18:10 vugluskr File Added: dbmail-2.2.7-ldap_anonbind.patch
======================================================================
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://twister.fastxs.net/mailman/listinfo/dbmail-dev