Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 331
    • Issues 331
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 11
    • Merge requests 11
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #1743

Closed
Open
Created May 10, 2019 by Maxime Besson@maxbes🔧Maintainer

[Security: low] register_token used for account creation can be used as a valid session identifier

References

  • CVE-2019-12046
  • Debian #928944

Concerned version

Version: %2.0.3

Summary

The confirmation email contains a link that looks like this:

http://auth.example.com/register?register_token=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f&skin=bootstrap

The register_token may be used as a valid session, before the account is even created in the Register backend

curl -b lemonldap=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f http://test1.example.com/

The session is of course empty:

<li>Connected user: <ul>
<li><tt>$ENV{HTTP_AUTH_USER}</tt>: </li>
<li><tt>$ENV{REMOTE_USER}</tt>: </li>

But i'm pretty sure this is undesired behavior.

Logs


cat /var/lib/lemonldap-ng/sessions/9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f
{
   "_utime" : 1557493764,
   "tokenSessionStartTimestamp" : 1557493764,
   "_type" : "register",
   "ipAddr" : "10.128.239.1",
   "firstname" : "Bob",
   "_session_kind" : "SSO",
   "mail" : "hackerman@gibson.com",
   "lastname" : "Hackerman",
   "_session_id" : "9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f",
   "tokenTimeoutTimestamp" : 1557565764
}

Possible fixes

The register session shouldn't be using _session_kind: SSO, or the handler should not accept _type: register ? Not sure what's the correct way here.

Edited May 13, 2019 by Yadd
Assignee
Assign to
Time tracking