lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2019-04-09T11:36:11Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1691Password policy can't display messages2019-04-09T11:36:11ZYaddPassword policy can't display messages### Concerned version
Version: %2.0.0
Platform: Any
### Summary & logs
From lemonldap-ng-users@ow2.org:
> Our organization made the switch from the 1.9 branch to 2.0 (Presently on 2.0.2) and we have been been receiving dozens of repo...### Concerned version
Version: %2.0.0
Platform: Any
### Summary & logs
From lemonldap-ng-users@ow2.org:
> Our organization made the switch from the 1.9 branch to 2.0 (Presently on 2.0.2) and we have been been receiving dozens of reports from users that they are recieving an "Internal Server Error" (white background, plain text) when visiting the Portal, or trying to login. Our nginx logs are peppered with the following:
```
Can't locate object method "loadTemplate" via package "Lemonldap::NG::Portal::Lib::Net::LDAP" at /usr/local/share/perl5/site_perl/Lemonldap/NG/Portal/Lib/Net/LDAP.pm line 223" POST /?cancel=1 HTTP/1.1 and also POST /saml/singleSignOn?SAMLRequest=......
```2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1686SOAP Portal WSDL file is invalid2019-04-15T06:15:03ZJulien LedouxSOAP Portal WSDL file is invalid### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
SOAP Portal WSDL file is invalid
I know Soap web services are deprecated, but the functionality is still available so I tried ...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
SOAP Portal WSDL file is invalid
I know Soap web services are deprecated, but the functionality is still available so I tried it out but I can't import portal wsdl file into Soap UI. It says something is wrong with the file. I don't have this issue with 1.9.x
![Capture_d_écran_2019-03-26_à_18.33.49](/uploads/2c9f5bfbee82e740040d0822bcbc4f69/Capture_d_écran_2019-03-26_à_18.33.49.png)
![Capture_d_écran_2019-03-26_à_18.33.30](/uploads/54ef81ca2a4dd54dcbe1ca6ca601050d/Capture_d_écran_2019-03-26_à_18.33.30.png)2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1683Changing configuration option cspScript has no effect2019-03-26T08:57:02ZJulien LedouxChanging configuration option cspScript has no effect### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
Changing configuration option cspScript has no effect
In manager General Parameters > Advanced Parameters > Security > Content...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
Changing configuration option cspScript has no effect
In manager General Parameters > Advanced Parameters > Security > Content security policy, changing 'script source' value has no effect since it's absent from http headers. I had to change 'default value' instead
Here is the value I get in portal page response headers:
```
Content-Security-Policy: default-src 'self' 'unsafe-eval';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self';connect-src 'self';form-action 'self';frame-ancestors 'none';
```
As you can see 'script-src' is missing.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1682LinkedIn OAuth2 authentication is not available in combination modules list2019-03-26T06:01:32ZJulien LedouxLinkedIn OAuth2 authentication is not available in combination modules list### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
LinkedIn OAuth2 authentication is not available in combination modules list
As discussed with Clément OUDOT, it seems like it'...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
LinkedIn OAuth2 authentication is not available in combination modules list
As discussed with Clément OUDOT, it seems like it's just an oversight. No big deal.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1680In form replay, POST data keys are not URL encoded2019-03-25T13:24:01ZClément OUDOTIn form replay, POST data keys are not URL encodedIn our code, we URI encode POST data values, but keys must be encoded too:
```perl
foreach ( keys %data ) {
$data{$_} = uri_escape( $data{$_} );
}
```
Fix is comingIn our code, we URI encode POST data values, but keys must be encoded too:
```perl
foreach ( keys %data ) {
$data{$_} = uri_escape( $data{$_} );
}
```
Fix is coming2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1679Default jQuery URL in form replay has changed2019-03-25T12:37:04ZClément OUDOTDefault jQuery URL in form replay has changedThe default jQuery URL is using the old jQuery:
```perl
$jqueryUrl = &{ $class->tsv->{portal} } . "skins/common/js/jquery-1.10.2.js"
if ( $jqueryUrl eq "default" );
```
We should now use the jquery in bwr/
Fix is coming.The default jQuery URL is using the old jQuery:
```perl
$jqueryUrl = &{ $class->tsv->{portal} } . "skins/common/js/jquery-1.10.2.js"
if ( $jqueryUrl eq "default" );
```
We should now use the jquery in bwr/
Fix is coming.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1676Active Directory connection information not saved2019-03-26T15:34:52ZAinal SaidinActive Directory connection information not saved### Concerned version
Version: 2.0.2
Platform: Apache (installed using RPMs)
### Summary
Active Directory connection information is not saved. This happens when adding AD as backend or editing existing AD connection after upgrade fr...### Concerned version
Version: 2.0.2
Platform: Apache (installed using RPMs)
### Summary
Active Directory connection information is not saved. This happens when adding AD as backend or editing existing AD connection after upgrade from version 1.9 or earlier. LDAP information, on the other hand, is saved. That is, LDAP connection information is saved when configuring LDAP backend.
When I used the difference viewer it says General Parameters --> Authentication Parameters --> Choice parameters --> Allowed Modules --> AD : New value AD;AD;AD;;;{}
### Logs
The configuration difference viewer shows General Parameters --> Authentication Parameters --> Choice parameters --> Allowed Modules --> AD : New value AD;AD;AD;;;{}
### Backends used
Active Directory2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1673Application list display and specific rules2019-03-25T18:35:07ZCarl R.Application list display and specific rules### Concerned version
Version: %2.0.2
Platform: (Nginx/Apache/Node.js)
### Summary
Application display does not always respect defined specific rule
### Logs
```
no logs
```
### Backends used
For any bug on configuration/sessions...### Concerned version
Version: %2.0.2
Platform: (Nginx/Apache/Node.js)
### Summary
Application display does not always respect defined specific rule
### Logs
```
no logs
```
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixes
I tried to identify the bug and found that it seems to come from what's called the "cache". Once i commented it, every application is rightfully displayed or hidden, respectfully to the defined special appdisplay rule :
in /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Main/Menu.pm :
```
## @method private string _filterHash(hashref apphash)
# Remove unauthorized menu elements
# @param $apphash Menu elements
# @return filtered hash
sub _filterHash {
my ( $self, $req, $apphash ) = @_;
foreach my $key ( keys %$apphash ) {
next if $key =~ /(type|options|catname)/;
if ( $apphash->{$key}->{type}
and $apphash->{$key}->{type} eq "category" )
{
# Filter the category
$self->_filterHash( $req, $apphash->{$key} );
}
if ( $apphash->{$key}->{type}
and $apphash->{$key}->{type} eq "application" )
{
# Find sub applications and filter them
foreach my $appkey ( keys %{ $apphash->{$key} } ) {
next if $appkey =~ /(type|options|catname)/;
# We have sub elements, so we filter them
$self->_filterHash( $req, $apphash->{$key} );
}
# Check rights
my $appdisplay = $apphash->{$key}->{options}->{display}
|| "auto";
my ( $vhost, $appuri ) =
$apphash->{$key}->{options}->{uri} =~ m#^https?://([^/]*)(.*)#;
$vhost =~ s/:\d+$//;
$vhost = $self->p->HANDLER->resolveAlias($vhost);
$appuri ||= '/';
# Remove if display is "no" or "off"
delete $apphash->{$key} and next if ( $appdisplay =~ /^(no|off)$/ );
# Keep node if display is "yes" or "on"
next if ( $appdisplay =~ /^(yes|on)$/ );
my $cond = undef;
# Handle partner rules (SAML, CAS or OIDC)
if ( $appdisplay =~ /^sp:\s*(.*)$/ ) {
$self->logger->warn("jepassedanssamlcasoidc");#pouet
my $p = $1;
if ( my $sub = $self->p->spRules->{$p} ) {
eval {
delete $apphash->{$key}
unless ( $sub->( $req, $req->sessionInfo ) );
};
if ($@) {
$self->logger->error("Partner rule $p returns: $@");
}
}
next;
}
# If a specific rule exists, get it from cache or compile it
if ( $appdisplay !~ /^auto$/i ) {
# if ( $self->specific->{$appuri} ) {
# $cond = $self->specific->{$appuri};
# }
# else {
$cond = $self->specific->{$appuri} =
$self->p->HANDLER->buildSub(
$self->p->HANDLER->substitute($appdisplay) );
# }
}
# Check grant function if display is "auto" (this is the default)
delete $apphash->{$key}
unless (
$self->p->HANDLER->grant(
$req, $req->sessionInfo, $appuri, $cond, $vhost
)
);
next;
}
}
}
```2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1672In SAML Issuer, environment variables to store current SP are not filled2019-03-13T09:55:16ZClément OUDOTIn SAML Issuer, environment variables to store current SP are not filledThe storeEnv method is called to fill `llng_saml_sp` and `llng_saml_spconfkey` env, but nothing is stored.
Fix is coming.The storeEnv method is called to fill `llng_saml_sp` and `llng_saml_spconfkey` env, but nothing is stored.
Fix is coming.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1671Error in SP-initiated saml logout with multiple SP2019-04-03T10:36:11ZMaxime BessonError in SP-initiated saml logout with multiple SP### Concerned version
Version: 2.0
### Summary
A fatal error (500) is encountered when logging out from a SAML service provider if another SAML service session is active.
The following steps can be used to reproduce:
* Create and re...### Concerned version
Version: 2.0
### Summary
A fatal error (500) is encountered when logging out from a SAML service provider if another SAML service session is active.
The following steps can be used to reproduce:
* Create and register two service providers (in my example, mod_auth_mellon)
* Login to both service providers
* Use a SP-Initiated logout on one service provider (/secret/saml/logout?ReturnTo=http://sp.example.com/ with Mellon)
* Get a err 500 from Lemon
### Logs
In nginx logs
```
FastCGI sent in stderr: "Can't locate object method "do" via package "Lemonldap::NG::Portal::Issuer::SAML" at /usr/share/perl5/Lemonldap/NG/Portal/Issuer/SAML.pm line 1619" while reading response header from upstream
```
### Possible fixes
The issue is simple enough to find in Issuer/SAML.pm
```
# If no waiting SP, return directly SLO response
(...)
# Else build SLO status relay URL and display info
else {
$req->{urldc} =
$self->conf->{portal} . '/saml/relaySingleLogoutTermination';
$self->p->setHiddenFormValue( $req, 'relay', $relayID );
return $self->do( $req, [] );
}
```
However, replacing `$self->do` with `$self->p->do` doesn't improve the situation much, because there is no route for /saml/relaySingleLogoutTermination2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1656No IP shown in history logon2019-04-09T19:55:33ZMathieu Lecompte-melançonNo IP shown in history logon### Concerned version
Version: %2.0.2
Platform: Nginx
### Summary
There no IP displayed in history logon. It a regression from 1.9
![image](/uploads/ae2817154c162b65485a51d61031bc9a/image.png)
After checking in persistant session ...### Concerned version
Version: %2.0.2
Platform: Nginx
### Summary
There no IP displayed in history logon. It a regression from 1.9
![image](/uploads/ae2817154c162b65485a51d61031bc9a/image.png)
After checking in persistant session no IP is stored in _loginHistory
### Logs
```
ND
```
### Backends used
MONGODB
### Possible fixes2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1654Password must change on AD still not fully working2019-04-02T09:26:17ZDaniel BerteaudPassword must change on AD still not fully working### Concerned version
Version: 2.0.2
Platform: CentOS 7 + nginx 1.15.8 with lua module
### Summary
This is a followup of bug #1639
Progress has been made, but the functionnality to force a user to change its password on next login is...### Concerned version
Version: 2.0.2
Platform: CentOS 7 + nginx 1.15.8 with lua module
### Summary
This is a followup of bug #1639
Progress has been made, but the functionnality to force a user to change its password on next login is still not perfectly working against AD (samba4 in my case).
Here's what happens:
* I create a user test, set a temp password and tick "User must change password on net login"
* I log this user on llng portal. I do get the "Password has been reset and now must be changed" information, and the form to reset the password (BTW, the "Password has been reset and now must be changed" msg is displayed in red, as if it was an error, while IMHO it should be displayed as an info, not an error). At this point, here are the logs:
```
févr. 16 11:24:13 proxyin2 LLNG[19922]: Launching ::Plugins::AutoSignin::check
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing extractFormInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Trying to load token 1550240758_-24306
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing getUser
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing authenticate
févr. 16 11:24:13 proxyin2 LLNG[19922]: Call bind for CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:24:13 proxyin2 LLNG[19922]: Bad password
févr. 16 11:24:13 proxyin2 LLNG[19922]: [AD] Password has expired
févr. 16 11:24:13 proxyin2 LLNG[19922]: [AD] Password reset. User must change his password
févr. 16 11:24:13 proxyin2 LLNG[19922]: Prepare token
févr. 16 11:24:13 proxyin2 LLNG[19922]: Token 1550240773_-1658 created
févr. 16 11:24:13 proxyin2 LLNG[19922]: -> authResult = 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setSessionInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setMacros
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setPersistentSessionInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Persistent session found for test
févr. 16 11:24:13 proxyin2 LLNG[19922]: Restore persistent parameter _loginHistory
févr. 16 11:24:13 proxyin2 LLNG[19922]: Restore persistent parameter _updateTime
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing storeHistory
févr. 16 11:24:13 proxyin2 LLNG[19922]: Current login saved into failedLogin
févr. 16 11:24:13 proxyin2 LLNG[19922]: Current login -> 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Found 'whatToTrace' -> test
févr. 16 11:24:13 proxyin2 LLNG[19922]: Update test persistent session
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing code ref
févr. 16 11:24:13 proxyin2 LLNG[19922]: Launching ::Plugins::GrantSession::run
févr. 16 11:24:13 proxyin2 LLNG[19922]: Returned error: 5
févr. 16 11:24:13 proxyin2 LLNG[19922]: Returned error: 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Skin returned: login
févr. 16 11:24:13 proxyin2 LLNG[19922]: Calling sendHtml with template login
févr. 16 11:24:13 proxyin2 LLNG[19922]: Skin bootstrap selected from GET/POST parameter
févr. 16 11:24:13 proxyin2 LLNG[19922]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
```
* Now, I enter the old password, and the new one twice, and submit the form. I'd expect to be redirected on the portal. But I'm not. Instead, I just see again the form to change my password because it has expired. Here're the logs when I submit the reset password form
```
févr. 16 11:25:06 proxyin2 LLNG[19925]: Launching ::Plugins::AutoSignin::check
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing extractFormInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Trying to load token 1550240773_-1658
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing getUser
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing authenticate
févr. 16 11:25:06 proxyin2 LLNG[19925]: Call modify password for CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:25:06 proxyin2 LLNG[19925]: Active Directory mode enabled
févr. 16 11:25:06 proxyin2 LLNG[19925]: Modification return code: 0
févr. 16 11:25:06 proxyin2 LLNG[19925]: Password changed CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:25:06 proxyin2 LLNG[19925]: Update password in session for test
févr. 16 11:25:06 proxyin2 LLNG[19925]: [AD] Password has expired
févr. 16 11:25:06 proxyin2 LLNG[19925]: [AD] Password reset. User must change his password
févr. 16 11:25:06 proxyin2 LLNG[19925]: Prepare token
févr. 16 11:25:06 proxyin2 LLNG[19925]: Token 1550240826_-15384 created
févr. 16 11:25:06 proxyin2 LLNG[19925]: -> authResult = 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setSessionInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setMacros
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setPersistentSessionInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Persistent session found for test
févr. 16 11:25:06 proxyin2 LLNG[19925]: Restore persistent parameter _loginHistory
févr. 16 11:25:06 proxyin2 LLNG[19925]: Restore persistent parameter _updateTime
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing storeHistory
févr. 16 11:25:06 proxyin2 LLNG[19925]: Current login saved into failedLogin
févr. 16 11:25:06 proxyin2 LLNG[19925]: Current login -> 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Found 'whatToTrace' -> test
févr. 16 11:25:06 proxyin2 LLNG[19925]: Update test persistent session
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing code ref
févr. 16 11:25:06 proxyin2 LLNG[19925]: Launching ::Plugins::GrantSession::run
févr. 16 11:25:06 proxyin2 LLNG[19925]: Returned error: 5
févr. 16 11:25:06 proxyin2 LLNG[19925]: Returned error: 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Skin returned: login
févr. 16 11:25:06 proxyin2 LLNG[19925]: Calling sendHtml with template login
févr. 16 11:25:06 proxyin2 LLNG[19925]: Skin bootstrap selected from GET/POST parameter
```
* If I just open a new tab on the portal, I can login with the new password, and I don't get the password expired.
### Backends used
CentOS 7, nginx 1.15.8 with lua module, LL::NG 2.0.2. DBI (MySQL) used for both config and session2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1543Redirection lost with CAS RP -> Choice -> SAML Discovery Protocol -> SAML IDP2019-03-13T09:55:39ZClément OUDOTRedirection lost with CAS RP -> Choice -> SAML Discovery Protocol -> SAML IDPWhen testing LL::NG 2.0 as CAS IDP, with a Choice to redirection on a SAML IDP (through Renater WAYF page), when redirected back from SAML IDP, we lost the CAS protocol context, and we are not redirected back CAS RP.
Maybe the issue is ...When testing LL::NG 2.0 as CAS IDP, with a Choice to redirection on a SAML IDP (through Renater WAYF page), when redirected back from SAML IDP, we lost the CAS protocol context, and we are not redirected back CAS RP.
Maybe the issue is linked to the WAYF redirection.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1744[Security: low] register_token used for account creation can be used as a val...2019-05-15T11:48:39ZClément OUDOT[Security: low] register_token used for account creation can be used as a valid session identifier### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Resume
Duplicate of #1743 but for 1.9 branch### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Resume
Duplicate of #1743 but for 1.9 branch1.9.19Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1743[Security: low] register_token used for account creation can be used as a val...2019-05-13T21:22:36ZMaxime Besson[Security: low] register_token used for account creation can be used as a valid session identifier### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
The co...### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
The confirmation email contains a link that looks like this:
```
http://auth.example.com/register?register_token=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f&skin=bootstrap
```
The register_token may be used as a valid session, before the account is even created in the Register backend
```
curl -b lemonldap=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f http://test1.example.com/
```
The session is of course empty:
```
<li>Connected user: <ul>
<li><tt>$ENV{HTTP_AUTH_USER}</tt>: </li>
<li><tt>$ENV{REMOTE_USER}</tt>: </li>
```
But i'm pretty sure this is undesired behavior.
### Logs
```
cat /var/lib/lemonldap-ng/sessions/9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f
{
"_utime" : 1557493764,
"tokenSessionStartTimestamp" : 1557493764,
"_type" : "register",
"ipAddr" : "10.128.239.1",
"firstname" : "Bob",
"_session_kind" : "SSO",
"mail" : "hackerman@gibson.com",
"lastname" : "Hackerman",
"_session_id" : "9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f",
"tokenTimeoutTimestamp" : 1557565764
}
```
### Possible fixes
The register session shouldn't be using _session_kind: SSO, or the handler should not accept _type: register ? Not sure what's the correct way here.2.0.4YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1742[Security: high, CVE-2019-12046] Setting tokenUseGlobalStorage allows unauthe...2019-05-13T20:24:06ZMaxime Besson[Security: high, CVE-2019-12046] Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
Any t...### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
Any token stored in the "main" session database may be used as a valid session identified to browse the portal and access applications with a bogus (all fields are empty), but nonetheless accepted session.
This is an issue if tokens generated by OneTimeToken.pm are stored in main session database, because these token are directly visible to unauthenticated users
Proof of concept:
First, enable `tokenUseGlobalStorage`, in the manager, then
```
$ curl -s http://auth.example.com/ | grep token
<input type="hidden" name="token" value="5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862" />
$ curl -sb lemonldap=5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 http://auth.example.com/ | grep Connected
<span trspan="connectedAs">Connected as</span>
$ curl -sb lemonldap=5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 http://test1.lemonregister.lxd/ | grep title
<title>LemonLDAP::NG sample protected application</title>
```
We are logged onto the portal with an empty username, but that's enough to browse the application list, and accept applications that have no access rules (or rules that behave badly in the presence of an empty string!)
### Logs
```
LLNG[19019]: Get session 5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 from Handler::Main::Run
May 10 13:36:08 lemonregister LLNG[19019]: Check session validity from Handler
May 10 13:36:08 lemonregister LLNG[19019]: Session timeout -> 72000
```
In the global storage, tokens look like this:
```
{
"_session_kind" : "SSO",
"tokenSessionStartTimestamp" : 1557495341,
"_utime" : 1557423461,
"_type" : "token",
"tokenTimeoutTimestamp" : 1557495461,
"_session_id" : "9333f50d80fdbf77d584af01dba27a2dc72b94f841c44dd30d0b9ed42af589df"
}
```
That `"_session_kind" : "SSO",` is probably the root of the issue, as it doesn't appear when using tokens with the normal configuration (tokenUseGlobalStorage=0)
### Possible fixes
The handler and portal should probably check the _kind of the session it retrieves before accepting them.2.0.4YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1716[Security:minor] Update jQuery2019-04-19T12:53:09ZYadd[Security:minor] Update jQuery### Concerned version
Version: all
Platform: any that use our embedded jQuery.
### Summary
jQuery before 3.4.0 is vulnerable to prototype pollution. See [Debian security tracker](https://security-tracker.debian.org/tracker/TEMP-09273...### Concerned version
Version: all
Platform: any that use our embedded jQuery.
### Summary
jQuery before 3.4.0 is vulnerable to prototype pollution. See [Debian security tracker](https://security-tracker.debian.org/tracker/TEMP-0927330-1DAA6F)2.0.4Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1567[Security: low] Captcha session id is too weak2019-05-12T16:27:41ZClément OUDOT[Security: low] Captcha session id is too weakTo build captcha session id, we use the MD5 of the captcha code:
```
my $md5 = md5_hex($code);
```
But an attacker can brute force the MD5 to find the captcha code:
![image](/uploads/cd98ef0da775842a1e25393a7e1d9e36/image.png)
The re...To build captcha session id, we use the MD5 of the captcha code:
```
my $md5 = md5_hex($code);
```
But an attacker can brute force the MD5 to find the captcha code:
![image](/uploads/cd98ef0da775842a1e25393a7e1d9e36/image.png)
The recommandation is to have a captcha session id that has no link with the captcha code.
Seems the issue is for 1.9 and 2.0 versions.1.9.19Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1741Deleted category is not detected as a change when saving conf.2019-05-11T10:05:27ZChristophe Maudouxchrmdx@gmail.comDeleted category is not detected as a change when saving conf.### Concerned version
Version: %"2.0.3"
### Summary
I deleted a category and I tried to save the new conf.
A warning is displayed -> "No change detected, saving aborted".
Same error occurs with a custom Category.
Create a new cate...### Concerned version
Version: %"2.0.3"
### Summary
I deleted a category and I tried to save the new conf.
A warning is displayed -> "No change detected, saving aborted".
Same error occurs with a custom Category.
Create a new category -> save -> OK
Delete custom Category -> Save -> KO (no change detected...)
Deleted Apps are well detected.
```
1: {default: [{data: {catname: "Default category", type: "category"}, id: "applicationList/default",…}],…}
default: [{data: {catname: "Default category", type: "category"}, id: "applicationList/default",…}]
0: {data: {catname: "Default category", type: "category"}, id: "applicationList/default",…}
data: {catname: "Default category", type: "category"}
catname: "Default category"
type: "category"
id: "applicationList/default"
title: "default"
type: "catAndAppList"
help: "portalmenu.html#categories_and_applications"
id: "applicationList"
nodes: [{title: "Administration", id: "applicationList/0003-cat", nodes: [{title: "WebSSO Manager",…},…],…}]
0: {title: "Administration", id: "applicationList/0003-cat", nodes: [{title: "WebSSO Manager",…},…],…}
id: "applicationList/0003-cat"
nodes: [{title: "WebSSO Manager",…},…]
0: {title: "WebSSO Manager",…}
data: {description: "Configure LemonLDAP::NG WebSSO", uri: "https://manager.example.com:19876/manager.html",…}
id: "applicationList/0003-cat/0004-app"
title: "WebSSO Manager"
type: "menuApp"
1: {data: {display: "auto", uri: "https://manager.example.com:19876/notifications.html",…},…}
data: {display: "auto", uri: "https://manager.example.com:19876/notifications.html",…}
id: "applicationList/0003-cat/0005-app"
title: "Notifications explorer"
type: "menuApp"
2: {title: "Sessions explorer", data: {logo: "database.png", description: "Explore WebSSO sessions",…},…}
data: {logo: "database.png", description: "Explore WebSSO sessions",…}
id: "applicationList/0003-cat/0006-app"
title: "Sessions explorer"
type: "menuApp"
3: {data: {logo: "database.png", display: "auto", description: "Explore WebSSO 2FA sessions",…},…}
data: {logo: "database.png", display: "auto", description: "Explore WebSSO 2FA sessions",…}
id: "applicationList/0003-cat/0007-app"
title: "2FA Sessions explorer"
type: "menuApp"
title: "Administration"
type: "menuCat"
```
Seems Conf is well formated and transmitted to Parser.pm but no change are detected...2.0.4Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1738Error not well catched with Ext2F2019-05-06T12:29:05ZClément OUDOTError not well catched with Ext2FWhen using Ext2F, if the send command fails, we have an error rendering the template:
```
[debug] Launching "Send" external 2F command -> curl -s -G --data-urlencode "from=+412345678" --data-urlencode "username=user" --data-urlencode "'p...When using Ext2F, if the send command fails, we have an error rendering the template:
```
[debug] Launching "Send" external 2F command -> curl -s -G --data-urlencode "from=+412345678" --data-urlencode "username=user" --data-urlencode "'password=password" --data-urlencode "to=$mobile" --data-urlencode "$code" http://sms.example.com/sms
[error] External send command failed (code 1536)
[debug] Processing code ref
[debug] Returned error: 24
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action 'self' *.openid.club *.facebook.com *.twitter.com *.renater.com;frame-ancestors 'none';
[debug] Returned error: ARRAY(0x55c1885d7380)
```
We should never have an ARRAY in return code.2.0.4Clément OUDOTClément OUDOT