GrantSession plugin discloses its message to unlogged users
Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
Summary
The evaluation of a session opening condition is made regardless of whether the authentication succeeded or not.
Try the following steps in demo mode:
- Add a session opening condition that restricts login to dwho with
$uid eq "dwho"
- Try to login as rtyler with a bad password
- The message from GrantSession is displayed.
I think most users are expecting to see an "incorrect password" message instead.
This feels to me like a security/privacy issue, letting an anonymous user know that some logins exist in the system (but cannot login). I'm sure it could be interesting information in some sensitive contexts. I'm flagging the issue as confidential for now.
Logs
Processing authenticate
Prepare token
Token 1548712519_3983 created
-> authResult = 5
Processing setSessionInfo
Processing setMacros
Processing setPersistentSessionInfo
Persistent session found for rtyler
Restore persistent parameter _loginHistory
Processing storeHistory
Current login saved into failedLogin
Current login -> 5
Found 'whatToTrace' -> rtyler
Update rtyler persistent session
Processing code ref
Launching ::Plugins::GrantSession::run
Grant session condition -> $uid eq dwho
Message -> Message
User rtyler was not granted to open session (rule -> Message)
Returned error: 41
Display: info detected
Hidden values -> $VAR1 = undef;
Skin returned: info
Calling sendHtml with template info
Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/info.tpl
Skin bootstrap selected from GET/POST parameter
Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/info.tpl
Required urldc : http://auth.lemontest.lxc/
Set CSP form-action with urldc : http://auth.lemontest.lxc
Required Params URL : http://auth.lemontest.lxc/
Set CSP form-action with Params URL : http://auth.lemontest.lxc
Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self' http://auth.lemontest.lxc http://auth.lemontest.lxc;frame-ancestors 'none';
Possible fixes
Maybe testing for $req->authResult before checking the rules?