Bug#966061: fusiondirectory: Dovecot & Cyrus plugins store master password in unprotected cleartext attribute

[Martina Ferrari]

Package: fusiondirectory
Version: 1.3-3
Severity: grave
Tags: security
Justification: user security hole

As reported in
https://github.com/fusiondirectory/fusiondirectory-plugins/issues/25
fusiondirectory stores the passwords for the Dovecot and Cyrus master
accounts in LDAP in cleartext, on custom attiributes that would be
exposed in an standard OpenLDAP installation. 

There is no warning about this, nor any mention in the documentation.
Sadly, upstream seems hostile to the suggestion that this is a serious
security issue, and refuse to even document this behaviour. Personally,
I can't trust the software knowing this, but more importantly, there
might be tons of compromised systems out there.



-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IE:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fusiondirectory depends on:
ii  apache2 [httpd]                     2.4.38-3+deb10u3
ii  debconf [debconf-2.0]               1.5.71
ii  fusiondirectory-smarty3-acl-render  1.3-3
ii  gettext                             0.19.8.1-9
ii  javascript-common                   11
ii  libarchive-extract-perl             0.80-1
ii  libcrypt-cbc-perl                   2.33-2
ii  libfile-copy-recursive-perl         0.44-1
ii  libjs-prototype                     1.7.1-3
ii  libjs-scriptaculous                 1.9.0-2
ii  libnet-ldap-perl                    1:0.6500+dfsg-1
ii  libpath-class-perl                  0.37-1
ii  libterm-readkey-perl                2.38-1
ii  libxml-twig-perl                    1:3.50-1.1
ii  openssl                             1.1.1d-0+deb10u3
ii  perl [libdigest-sha-perl]           5.28.1-6
ii  php                                 2:7.3+69
ii  php-cas                             1.3.6-1
ii  php-curl                            2:7.3+69
ii  php-fpdf                            3:1.8.1.dfsg-2
ii  php-gd                              2:7.3+69
ii  php-imagick                         3.4.3-4.1
ii  php-imap                            2:7.3+69
ii  php-ldap                            2:7.3+69
ii  php-mbstring                        2:7.3+69
ii  php-xml                             2:7.3+69
ii  php7.3 [php]                        7.3.19-1~deb10u1
ii  php7.3-cli [php-cli]                7.3.19-1~deb10u1
ii  php7.3-curl [php-curl]              7.3.19-1~deb10u1
ii  php7.3-gd [php-gd]                  7.3.19-1~deb10u1
ii  php7.3-imap [php-imap]              7.3.19-1~deb10u1
ii  php7.3-ldap [php-ldap]              7.3.19-1~deb10u1
ii  php7.3-mbstring [php-mbstring]      7.3.19-1~deb10u1
ii  php7.3-xml [php-xml]                7.3.19-1~deb10u1
ii  schema2ldif                         1.3-3
ii  smarty-gettext                      1.6.1-1
ii  smarty3                             3.1.33+20180830.1.3a78a21f+selfpack1-1

fusiondirectory recommends no packages.

Versions of packages fusiondirectory suggests:
pn  argonaut-server         <none>
ii  fusiondirectory-schema  1.3-3
ii  slapd                   2.4.47+dfsg-3+deb10u2

-- Configuration Files:
/etc/fusiondirectory/fusiondirectory-apache.conf changed [not included]

-- debconf information excluded