The following issue has been RESOLVED. ====================================================================== http://dbmail.org/mantis/view.php?id=662 ====================================================================== Reported By: vugluskr Assigned To: ====================================================================== Project: DBMail Issue ID: 662 Category: Authentication layer Reproducibility: always Severity: major Priority: normal Status: resolved target: Resolution: fixed Fixed in Version: 2.2.9 ====================================================================== Date Submitted: 16-Dec-07 18:10 CET Last Modified: 16-Dec-07 23:14 CET ====================================================================== Summary: Ability to bypass authentication. Description: There is security hole in auth procedure. When used authldap module and on LDAP server enabled anonymous login any user can login in any account using as password empty string.
h000 ~ # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK dbmail imap (protocol version 4r1) server 2.2 ready to run a login [EMAIL PROTECTED] "" a OK LOGIN completed a logout * BYE dbmail imap server kisses you goodbye a OK completed Connection closed by foreign host. On pop3 protocol I was not able to use this vulnerability. I don't know how send empty password via pop3 protocol. h000 ~ # telnet localhost 110 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK DBMAIL pop3 server ready to rock <[EMAIL PROTECTED]> user [EMAIL PROTECTED] +OK Password required for [EMAIL PROTECTED] pass -ERR your command does not compute pass "" -ERR username/password incorrect quit +OK see ya later Connection closed by foreign host. The root of the problem in use of function ldap_bind_s int ldap_bind_s(LDAP *ld, const char *who, const char *cred, int method); If "cred" argument is "", ldap library try to authenticate as anonymous... and bind return success. So dbmail let user to come in to mailbox. modules/authldap.c:1263 if (ldap_err) { TRACE(TRACE_ERROR, "ldap_bind_s failed: %s", ldap_err2string(ldap_err)); *user_idnr = 0; } else { db_user_log_login(*user_idnr); } There is a path to fix this issue in attach. PS: The LDAP is AD on win2k3 server. ====================================================================== ---------------------------------------------------------------------- paul - 16-Dec-07 22:55 ---------------------------------------------------------------------- Yes. This *only* affects AD, not openldap. I seem to remember fixing this some time ago. Looks like a regression or I'm having serious deja-vu here :-( ---------------------------------------------------------------------- paul - 16-Dec-07 23:14 ---------------------------------------------------------------------- Patch accepted. Thanks. Issue History Date Modified Username Field Change ====================================================================== 16-Dec-07 18:10 vugluskr New Issue 16-Dec-07 18:10 vugluskr File Added: dbmail-2.2.7-ldap_anonbind.patch 16-Dec-07 22:55 paul Note Added: 0002451 16-Dec-07 23:14 paul Note Added: 0002452 16-Dec-07 23:14 paul Status new => resolved 16-Dec-07 23:14 paul Resolution open => fixed 16-Dec-07 23:14 paul Fixed in Version => 2.2.9 ====================================================================== _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://twister.fastxs.net/mailman/listinfo/dbmail-dev