Re: CVE-2016-2313 fix wrong

2016-07-29 Thread Emilio Pozuelo Monfort 
On 28/07/16 14:59, Matus UHLAR - fantomas wrote:
>> On 28/07/16 13:35, Matus UHLAR - fantomas wrote:
>>> i believe the fix for CVE-2016-2313 in
>>> CVE-2016-2313-authentication-bypass.patch is invalid.
> 
> On 28.07.16 14:26, Emilio Pozuelo Monfort wrote:
>> Thanks for the report. I'll look at it later today.
> 
> I have posted cacti bug http://bugs.cacti.net/view.php?id=2697
> and attached patch
> http://bugs.cacti.net/file_download.php?file_id=1229=bug
> 
> that should fix the issue. The patch is to be applied to "fixed" version
> in debian

The patch looks sensible to me, but I'd like to give upstream a few days to 
comment.

BTW you may want to send a pull request at https://github.com/Cacti/cacti

Cheers,
Emilio

Re: CVE-2016-2313 fix wrong

2016-07-28 Thread Matus UHLAR - fantomas 

On 28/07/16 13:35, Matus UHLAR - fantomas wrote:

i believe the fix for CVE-2016-2313 in
CVE-2016-2313-authentication-bypass.patch is invalid.


On 28.07.16 14:26, Emilio Pozuelo Monfort wrote:

Thanks for the report. I'll look at it later today.


I have posted cacti bug http://bugs.cacti.net/view.php?id=2697
and attached patch
http://bugs.cacti.net/file_download.php?file_id=1229=bug

that should fix the issue. The patch is to be applied to "fixed" version
in debian

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

CVE-2016-2313 fix wrong

2016-07-28 Thread Matus UHLAR - fantomas 

Hello,

i believe the fix for CVE-2016-2313 in
CVE-2016-2313-authentication-bypass.patch is invalid.

 Quoting the authorization settings:

Web Basic Authentication - Authentication is handled by the web server.
Users can be added or created automatically on first login if the Template
User is defined, otherwise the defined guest permissions will be used. 


this patch makes authentication fail when the template user is not set, but
the guest user is set, while in such case guest user should be used.

Unfortunely the original bug report does not have fix for this, and the last
comment says:

"
(0007083)
cigamit (developer)
2016-03-06 11:01

 agree and it's been re-fixed in 1.0. Will backport shortly. 
"



I believe that the patch could be fixed simply by changing the test from:


+   if (!$user && read_config_option('user_template') == '0') {

to something like:

+   if (!$user && read_config_option('user_template') == '0' && 
read_config_option('guest_user') == '0') {

and of course the error messages:

+   cacti_log("ERROR: User '" . $username . "' authenticated by 
Web Server, but a Template User is not defined in Cacti.  Exiting.", false, 'AUTH');
+   $username = htmlspecialchars($username);
+   auth_display_custom_error_message("$username authenticated 
by Web Server, but a Template User is not defined in Cacti.");

to:

+   cacti_log("ERROR: User '" . $username . "' authenticated by 
Web Server, but a Template User and a Guest User are not defined in Cacti.  Exiting.", false, 
'AUTH');
+   $username = htmlspecialchars($username);
+   auth_display_custom_error_message("$username authenticated 
by Web Server, but a Template User and a Guest User are not defined in Cacti.");

this seems to work on our cacti installation.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.