Your message dated Mon, 23 Jan 2017 22:33:34 +0000 with message-id <[email protected]> and subject line Bug#703139: fixed in awl 0.57-1 has caused the Debian Bug report #703139, regarding awl: potential security issues in login and session handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 703139: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703139 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: awl Version: 0.53-1 Severity: important Tags: security upstream Hi. I was looking through /usr/share/awl/inc/Session.php in order to write a patch to add support for Apache's REDIRECT_REMOTE_USER to the "normal" REMOTE_USER env var and stumbled accross some potential issues. 1) In _CheckLogin()... there is that case: else if ( !isset($_COOKIE['sid']) && isset($c->authenticate_hook['server_auth_type']) ) with then: if ( is_array($c->authenticate_hook['server_auth_type']) ) { ... else if ( $c->authenticate_hook['server_auth_type'] == $_SERVER['AUTH_TYPE'] ) { ... In the second case, i.e. server_auth_type is not an array the following happens for the login: list($username) = explode('@', $_SERVER['REMOTE_USER']); $this->Login($username, "", true); // Password will not be checked. a) First it's already questionable why the array case is handled differently because AFAIU,... when server_auth_type is an array that means just that more auth methods are tried... b) But more cirtical is the explode... and that everything behind an "@" is split of from REMOTE_USER. I guess the idea is to take only the "foo" in usernames of the form "[email protected]".. but this is IMHO a security issue. Given that Davical can serve many vhosts/domains from one and the same DB. there might be different users like [email protected] and [email protected] ... but now.... these get "mapped" to the same davical username. Solution... don't to the explode.... or will this have any side effects. 2) Less serious and more abstract... the LSIDLogin()... aka "long term session cookies" Yeah well the comments in the code already tell that this is "this is all horribly insecure".... which makes me shiver and question whether the whole thing shouldn't be reconsidered... The LSID is md5_user_no;validation_string... md5_user_no is simply the MD5sum of the numeric UIDs... so everyone can calculate these very easily. Even though I don't think that this already means a security problem (all credentials seem to be in validation_string... it makes me wonder why is the MD5 made of this? The LSID doesn't contain an expiry date... well that alone is not a problem as we more or less tell the users ("forget met not") that this will stay. What works is: If a user changes the pwd... the LSID won't work anymore.. But small problem: In case a user tries to login with a LSID cookie and that fails... then IMHO that cookie should be deleted... even if it's just for clean up. Cheers, Chris.
--- End Message ---
--- Begin Message ---Source: awl Source-Version: 0.57-1 We believe that the bug you reported is fixed in the latest version of awl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Florian Schlichting <[email protected]> (supplier of updated awl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 23 Jan 2017 23:11:47 +0100 Source: awl Binary: libawl-php awl-doc Architecture: source all Version: 0.57-1 Distribution: unstable Urgency: medium Maintainer: Davical Development Team <[email protected]> Changed-By: Florian Schlichting <[email protected]> Description: awl-doc - Andrew's Web Libraries - API documentation libawl-php - Andrew's Web Libraries - PHP Utility Libraries Closes: 643907 703139 837154 Changes: awl (0.57-1) unstable; urgency=medium . * New upstream release (closes: #643907, #703139, #837154, LP: #1554352) * Use secure URIs * Bump copyright years * Use jdupes to remove duplicate files in awl-doc * Mark libawl-php and awl-doc "Multi-Arch: foreign" as suggested by the Multiarch hinter Checksums-Sha1: 560c384f7f7ba581c8d8f1043c683fdc569f864f 1939 awl_0.57-1.dsc da26f4933a4e734a153a5e789c0bb69d6ad6a986 101236 awl_0.57.orig.tar.xz 32f800e0f03a77be8d174583ed317930f39ab90b 6684 awl_0.57-1.debian.tar.xz 294f5e85085e017ab1711ba04ee84560791c9d55 253730 awl-doc_0.57-1_all.deb 8bb5579acaa89bac842a1e0574738ecab86cdaa5 6620 awl_0.57-1_amd64.buildinfo ae548924d3b1f9b6fa88b89d3cc37fa0ec83a706 97884 libawl-php_0.57-1_all.deb Checksums-Sha256: d0d466f2339a2ccd3d1709fb993f436837c75cf997bbd60fe372b487d53f1750 1939 awl_0.57-1.dsc af9400a5c792eae170f4f14214f065482e2c3817833825cbd48e5a19f86daafc 101236 awl_0.57.orig.tar.xz c4e6b87fdff210eeda943bfbcd5e928e808a88f368f94e6c87a53f97b8fddad1 6684 awl_0.57-1.debian.tar.xz e5353c8c2eb1e42de17b5ec46274b43b559bc843a98d214c4c750ea90134d701 253730 awl-doc_0.57-1_all.deb f66a9a202b0b901ba1fef7f8fa41fb655d3f48d2bf94ca7c38b80da5cc3d0598 6620 awl_0.57-1_amd64.buildinfo 12b35f2fb276908d9d2ece11d1bbe587103d6a47eab2eab21911291b86114373 97884 libawl-php_0.57-1_all.deb Files: f50bb5472cdf2ce0ff0f19112bc7d790 1939 php extra awl_0.57-1.dsc 7d0a403288d04aac487a643da18b4914 101236 php extra awl_0.57.orig.tar.xz 4346a6f7f20a238a93821734935a6547 6684 php extra awl_0.57-1.debian.tar.xz f269392450d87e06cdbd8d40d83311d9 253730 doc extra awl-doc_0.57-1_all.deb 1f3afeba483f756bcabf3e6a9c0d16c8 6620 php extra awl_0.57-1_amd64.buildinfo 58cca9006cd0a4296f2f0623c704b7f4 97884 php extra libawl-php_0.57-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAliGgNMACgkQEpc7bnLc B7UBxA/9HoFf0LZSdouSJBGcFGjwN1Tf3ipXVjWVqQ1SH2HIKLY/7NVy7WrKZeg1 pwU7qqOY+enx7dAOo0hSR2IH5x4Gmi9vJ830ElYIyV9KNxN7442ckNXZTtJw4vcp qp7dPCHp+vAs1A1LFty2XtNELUedmHiltIEQHGczHiieCMIFjJjcgGbsu2gBVpD1 UHZPRDx0voPsFriX6A4KzdmqJBaIeuse5wiMFgNOT8+gbY/8OLUtjN7ZEhLq49a5 4uFKYEwK1vKbcE4oKLZa9IDZK7l3lGFkVL2rl+nXyx832jVVS7bz9MGHz9A1901M dxXSE9m4r4/y9VyeEY36QaiiBB6cRcah/1wN9Dl2FBSO4s9ouE7Xentb8MQn8CWd VyjSo//RkQf7p9sNzTVgollpFjLNhv3hzrUEtRs17BhowjG1WaYnBgsUDH4PdIzx l4KopVuPhUUZT/tP04hWyFb53vJa/sxuKQvvMcBx6T86qXz28OaA8/SEtEst/Mst GhmQuE801NpRO9JtQiaXMjLPke1BCO6AgIPZFIiK9XCYMUo6DJ8lRjQTd3Ik9Znu jxRQTBY+MK0zWAM6j/jerCGYSuocomEzJPf97JD/lkkm/d2wJ6/eNHTgU53OXHU2 YbN+lHTuhmS2DIl0hBo8B18r5fzEwv6qhKqS4MbKRWnOa6jwzxg= =RDZa -----END PGP SIGNATURE-----
--- End Message ---
