[Security: low] register_token used for account creation can be used as a valid session identifier

References

• CVE-2019-12046
• Debian #928944

Concerned version

Version: %2.0.3

Summary

The confirmation email contains a link that looks like this:

http://auth.example.com/register?register_token=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f&skin=bootstrap

The register_token may be used as a valid session, before the account is even created in the Register backend

curl -b lemonldap=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f http://test1.example.com/

The session is of course empty:

<li>Connected user: <ul>
<li><tt>$ENV{HTTP_AUTH_USER}</tt>: </li>
<li><tt>$ENV{REMOTE_USER}</tt>: </li>

But i'm pretty sure this is undesired behavior.

Logs

cat /var/lib/lemonldap-ng/sessions/9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f
{
   "_utime" : 1557493764,
   "tokenSessionStartTimestamp" : 1557493764,
   "_type" : "register",
   "ipAddr" : "10.128.239.1",
   "firstname" : "Bob",
   "_session_kind" : "SSO",
   "mail" : "hackerman@gibson.com",
   "lastname" : "Hackerman",
   "_session_id" : "9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f",
   "tokenTimeoutTimestamp" : 1557565764
}

Possible fixes

The register session shouldn't be using _session_kind: SSO, or the handler should not accept _type: register ? Not sure what's the correct way here.