Warnings when LDAP server is not available

Bug #1537908 reported by Son Nguyen on 2016-01-25
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
High
Unassigned
15.10
High
Unassigned

Bug Description

Version: master (16.04), 15.10
Platform: any
Browser: any

When logging in using LDAP authentication, I get the following error message if the LDAP server is not available.
and the password for the ldap special user does appear.
(I changed it to 'visiblepassword')

[Mon Jan 25 21:00:44.324225 2016] [:error] [pid 11] [client 172.17.0.1:37746] [WAR] a2 (auth/ldap/lib.php:271) ldap_bind(): Unable to bind to server: Can't contact LDAP server, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324262 2016] [:error] [pid 11] [client 172.17.0.1:37746] Call stack (most recent first):, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324272 2016] [:error] [pid 11] [client 172.17.0.1:37746] * log_message("ldap_bind(): Unable to bind to server: Can't conta...", 8, true, true, "/var/www/html/mahara-clients/docroot/htdocs/auth/l...", 271) at /var/www/html/mahara-clients/docroot/htdocs/lib/errors.php:441, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324281 2016] [:error] [pid 11] [client 172.17.0.1:37746] * error(2, "ldap_bind(): Unable to bind to server: Can't conta...", "/var/www/html/mahara-clients/docroot/htdocs/auth/l...", 271, array(size 5)) at Unknown:0, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324288 2016] [:error] [pid 11] [client 172.17.0.1:37746] * ldap_bind(resource(#106), "cn=ldap proxy,ou=special users,ou=school,DC=eggs,D...", "visiblepassword") at /var/www/html/mahara-clients/docroot/htdocs/auth/ldap/lib.php:271, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324296 2016] [:error] [pid 11] [client 172.17.0.1:37746] * AuthLdap->ldap_connect() at /var/www/html/mahara-clients/docroot/htdocs/auth/ldap/lib.php:139, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324303 2016] [:error] [pid 11] [client 172.17.0.1:37746] * AuthLdap->authenticate_user_account(object(LiveUser), "********") at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:1500, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324310 2016] [:error] [pid 11] [client 172.17.0.1:37746] * login_submit(object(Pieform), array(size 6)) at Unknown:0, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324316 2016] [:error] [pid 11] [client 172.17.0.1:37746] * call_user_func_array("login_submit", array(size 2)) at /var/www/html/mahara-clients/docroot/htdocs/lib/pieforms/pieform.php:537, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324323 2016] [:error] [pid 11] [client 172.17.0.1:37746] * Pieform->__construct(array(size 9)) at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:505, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324331 2016] [:error] [pid 11] [client 172.17.0.1:37746] * auth_setup() at /var/www/html/mahara-clients/docroot/htdocs/init.php:408, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324338 2016] [:error] [pid 11] [client 172.17.0.1:37746] * require("/var/www/html/mahara-clients/docroot/htdocs/init.p...") at /var/www/html/mahara-clients/docroot/htdocs/index.php:16, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324345 2016] [:error] [pid 11] [client 172.17.0.1:37746] , referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326490 2016] [:error] [pid 11] [client 172.17.0.1:37746] [WAR] a2 (auth/ldap/lib.php:200) LDAP connection failed: ldaps://rodc1.eggs.school.nz/ou=school,DC=eggs,DC=school,DC=nz, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326518 2016] [:error] [pid 11] [client 172.17.0.1:37746] Call stack (most recent first):, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326544 2016] [:error] [pid 11] [client 172.17.0.1:37746] * log_message("LDAP connection failed: ldaps://rodc1.eggs.school....", 8, true, true) at /var/www/html/mahara-clients/docroot/htdocs/lib/errors.php:97, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326553 2016] [:error] [pid 11] [client 172.17.0.1:37746] * log_warn("LDAP connection failed: ldaps://rodc1.eggs.school....") at /var/www/html/mahara-clients/docroot/htdocs/auth/ldap/lib.php:200, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326562 2016] [:error] [pid 11] [client 172.17.0.1:37746] * AuthLdap->authenticate_user_account(object(LiveUser), "********") at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:1500, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326569 2016] [:error] [pid 11] [client 172.17.0.1:37746] * login_submit(object(Pieform), array(size 6)) at Unknown:0, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326576 2016] [:error] [pid 11] [client 172.17.0.1:37746] * call_user_func_array("login_submit", array(size 2)) at /var/www/html/mahara-clients/docroot/htdocs/lib/pieforms/pieform.php:537, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326585 2016] [:error] [pid 11] [client 172.17.0.1:37746] * Pieform->__construct(array(size 9)) at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:505, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326593 2016] [:error] [pid 11] [client 172.17.0.1:37746] * auth_setup() at /var/www/html/mahara-clients/docroot/htdocs/init.php:408, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326600 2016] [:error] [pid 11] [client 172.17.0.1:37746] * require("/var/www/html/mahara-clients/docroot/htdocs/init.p...") at /var/www/html/mahara-clients/docroot/htdocs/index.php:16, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326608 2016] [:error] [pid 11] [client 172.17.0.1:37746] , referer: http://localhost/mahara-clients/docroot/htdocs/

Changed in mahara:
status: New → Confirmed
milestone: none → 16.04.0
information type: Public → Public Security
Aaron Wells (u-aaronw) wrote :

This bug is similar to Bug 1009262 (User passwords logged when LDAP misconfigured), but in this case it's logging the password that Mahara itself uses to bind to the LDAP server. Specifically, that's field 8 on this manual page: manual.mahara.org/en/15.10/administration/institutions.html#index-17

The actual security implications of this bug are limited by the fact that an attacker needs read-access to the web server error logs. And in most systems, if a user has read access to those logs, they most likely already have read-access to Mahara's "config.php" file and could retrieve the LDAP bind password from the database (as this password has to be stored in plaintext; unlike user passwords, which are hashed).

Additionally, unlike Bug 1009262, in this case the exposed password is not a user password (which is likely used by the same human being for other services), but a password for an automated account. In a properly configured system, this password will be unique to this one account, and the account will be limited to read-only access in the LDAP context where user data and/or group data is stored.

It's worth noting this LDAP configuration field is, in fact, optional. It doesn't need to be filled in for institutions that allow anonymous binds (perhaps using the network to enforce LDAP access security), or for institutions that are not doing user auto-creation or LDAP user sync or LDAP group sync.

It's still worth fixing this issue, however, because of the possibility that the server logs may unexpectedly be made accessible to others, or the possibility of a configuration change printing error messages to the web front-end instead of the logs.

Aaron Wells (u-aaronw) wrote :

Correction, on further analysis of the code, you don't have to have enabled user auto-creation or sync in order to be affected by this bug. Before the LDAP auth plugin tries to authenticate a username and password, it connects to the server using the Mahara bind DN & password (or anonymously) and runs an LDAP search to try to find out the DN for the user's record.

At first this seems like an unnecessary step. Why not just construct the user's DN using the user context, the username attribute, and the username value? But, users may be stored in multiple contexts (there is a "recurse into subcontexts" setting), and the username attribute may not be part of the user's DN. So this actually is a necessary step. (Although potentially we could cache the DN somewhere in Mahara's database to save on this extra connection step.)

no longer affects: mahara/1.10
Changed in mahara:
milestone: 16.04.0 → 16.04.1
Robert Lyon (robertl-9) on 2016-06-09
Changed in mahara:
milestone: 16.04.1 → 16.04.2
Robert Lyon (robertl-9) wrote :

This bug has been fixed as part of the fix for Bug 1567186: More thorough checking for passwords in stacktraces

The patch that did the fixing is here: https://reviews.mahara.org/#/c/6335/5

Changed in mahara:
status: Confirmed → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers