[Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos
Concerned version
Version: 2.0.13
Summary
Summarize the bug encountered concisely
- Enable restPasswordServer
- Configure Combination
[Kerberos, Demo] or [Demo]
(works with LDAP too) - use /proxy/pwdConfirm to validate dwho/wrongpassword => returns true
Logs
[debug] Entering REST pwdConfirm method
[debug] Processing getUser
[debug] Processing authenticate
[debug] -> authResult = 0
Because authenticate
always returns OK in Auth::Kerberos
See also #2611
Low severity because this feature is probably not used by anyone. To successfully exploit this, a user must have deployed another application that relies on pwdConfirm to validate passwords (such as another LLNG instance using Auth::REST)
Edited by Maxime Besson