Package: liblemonldap-ng-portal-perl
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
Found: 1.9.7-3
Hi all,
during an internal audit, one of lemonldap-ngi's developers discovered an
attack vector. It opens 3 security issues:
- [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
enabled (default) and tokens are stored in session DB (not default,
used with poor load-balancers), the token can be used to open an
anonymous short-life session (2mn). It allows one to access to all
aplications without additional rules
- [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
stored in sessions DB (not default), tokens can be used to have an
anonymous session
- [low] for every versions < 2.0.4 or 1.9.19: when self-registration
is allowed, mail token can be used to have an anonymous session.
Attachements:
- lemonldap-ng_2.0.2+ds-6.debdiff: fix for stretch
- lemonldap-ng_2.0.2+ds-7.patch: patch for Buster. It includes 3 new
upstream tests to prove that vulnerabilities are fixed
- llng-1742-test.sh: a small tool that can be used to test an existing
2.0.x installation
This issue also affects Ubuntu-19.04 which includes lemonldap-ng_2.0.2+ds-6.
Cheers,
Xavier
Description: Fix for CVE
When CSRF is enabled (default) and tokens are stored in session database
(not default, used for poor load balancers), a short-life session can be
created without being authentified.
This patch fixes also a low level vulnerability on self-register (same vector,
see https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743)
.
This patch adds also 2 new upstream tests to prove that issues are fixed.
.
https://security-tracker.debian.org/tracker/CVE-2019-12046
Author: Xavier Guimard
Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
Bug-Debian: https://bugs.debian.org/
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded: not-needed
Last-Update: 2019-05-12
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/REST.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/REST.pm
@@ -21,7 +21,7 @@
modified => 0,
};
foreach (
-qw(baseUrl user password realm localStorage localStorageOptions lwpOpts lwpSslOpts)
+qw(baseUrl user password realm localStorage localStorageOptions lwpOpts lwpSslOpts kind)
)
{
$self->{$_} = $args->{$_};
@@ -116,8 +116,13 @@
sub getJson {
my $self = shift;
-my $url = shift;
-my $resp = $self->ua->get( $self->base . $url, @_ );
+my $id = shift;
+my $resp = $self->ua->get(
+$self->base
+ . $id
+ . ( $self->{kind} ne 'SSO' ? "?kind=$self->{kind}" : '' ),
+@_
+);
if ( $resp->is_success ) {
my $res;
eval { $res = from_json( $resp->content, { allow_nonref => 1 } ) };
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
@@ -139,6 +139,14 @@
# Load session data into object
if ($data) {
+if ( $self->kind and $data->{_session_kind} ) {
+unless ( $data->{_session_kind} eq $self->kind ) {
+$self->error(
+"Session kind mismatch : $data->{_session_kind} is not "
+ . $self->kind );
+return undef;
+}
+}
$self->_save_data($data);
$self->kind( $data->{_session_kind} );
$self->id( $data->{_session_id} );
@@ -158,7 +166,7 @@
if ( $self->storageModule =~ /^Lemonldap::NG::Common::Apache::Session/ )
{
tie %h, $self->storageModule, $self->id,
- { %{ $self->options }, %$options };
+ { %{ $self->options }, %$options, kind => $self->kind };
}
else {
tie %h, 'Lemonldap::NG::Common::Apache::Session', $self->id,
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm
@@ -248,7 +248,7 @@
Lemonldap::NG::Handler::PSGI::Main->tsv->{sessionCacheOptions},
id=> $id,
force => $force,
-kind => $mod->{kind},
+( $id ? () : ( kind => $mod->{kind} ) ),
( $info ? ( info => $info ) : () ),
}
);
@@ -271,6 +271,9 @@
$self->error('Unknown (or unconfigured) session type');
return ();
}
+if ( my $kind = $req->params('kind') ) {
+$m->{kind} = $kind;
+}
return $m;
}
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OneTimeToken.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OneTimeToken.pm
@@ -5,7 +5,7 @@
use JSON qw(from_json to_json);
use Crypt::URandom;
-our $VERSION = '2.0.2';
+our $VERSION = '2.0.4';