mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #32521
[Bug 1537908] Re: Warnings when LDAP server is not available
This bug is similar to Bug 1009262 (User passwords logged when LDAP
misconfigured), but in this case it's logging the password that Mahara
itself uses to bind to the LDAP server. Specifically, that's field 8 on
this manual page:
manual.mahara.org/en/15.10/administration/institutions.html#index-17
The actual security implications of this bug are limited by the fact
that an attacker needs read-access to the web server error logs. And in
most systems, if a user has read access to those logs, they most likely
already have read-access to Mahara's "config.php" file and could
retrieve the LDAP bind password from the database (as this password has
to be stored in plaintext; unlike user passwords, which are hashed).
Additionally, unlike Bug 1009262, in this case the exposed password is
not a user password (which is likely used by the same human being for
other services), but a password for an automated account. In a properly
configured system, this password will be unique to this one account, and
the account will be limited to read-only access in the LDAP context
where user data and/or group data is stored.
It's worth noting this LDAP configuration field is, in fact, optional.
It doesn't need to be filled in for institutions that allow anonymous
binds (perhaps using the network to enforce LDAP access security), or
for institutions that are not doing user auto-creation or LDAP user sync
or LDAP group sync.
It's still worth fixing this issue, however, because of the possibility
that the server logs may unexpectedly be made accessible to others, or
the possibility of a configuration change printing error messages to the
web front-end instead of the logs.
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1537908
Title:
Warnings when LDAP server is not available
Status in Mahara:
Confirmed
Status in Mahara 1.10 series:
Confirmed
Status in Mahara 15.10 series:
Confirmed
Bug description:
Version: master (16.04), 15.10
Platform: any
Browser: any
When logging in using LDAP authentication, I get the following error message if the LDAP server is not available.
and the password for the ldap special user does appear.
(I changed it to 'visiblepassword')
[Mon Jan 25 21:00:44.324225 2016] [:error] [pid 11] [client 172.17.0.1:37746] [WAR] a2 (auth/ldap/lib.php:271) ldap_bind(): Unable to bind to server: Can't contact LDAP server, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324262 2016] [:error] [pid 11] [client 172.17.0.1:37746] Call stack (most recent first):, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324272 2016] [:error] [pid 11] [client 172.17.0.1:37746] * log_message("ldap_bind(): Unable to bind to server: Can't conta...", 8, true, true, "/var/www/html/mahara-clients/docroot/htdocs/auth/l...", 271) at /var/www/html/mahara-clients/docroot/htdocs/lib/errors.php:441, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324281 2016] [:error] [pid 11] [client 172.17.0.1:37746] * error(2, "ldap_bind(): Unable to bind to server: Can't conta...", "/var/www/html/mahara-clients/docroot/htdocs/auth/l...", 271, array(size 5)) at Unknown:0, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324288 2016] [:error] [pid 11] [client 172.17.0.1:37746] * ldap_bind(resource(#106), "cn=ldap proxy,ou=special users,ou=school,DC=eggs,D...", "visiblepassword") at /var/www/html/mahara-clients/docroot/htdocs/auth/ldap/lib.php:271, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324296 2016] [:error] [pid 11] [client 172.17.0.1:37746] * AuthLdap->ldap_connect() at /var/www/html/mahara-clients/docroot/htdocs/auth/ldap/lib.php:139, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324303 2016] [:error] [pid 11] [client 172.17.0.1:37746] * AuthLdap->authenticate_user_account(object(LiveUser), "********") at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:1500, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324310 2016] [:error] [pid 11] [client 172.17.0.1:37746] * login_submit(object(Pieform), array(size 6)) at Unknown:0, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324316 2016] [:error] [pid 11] [client 172.17.0.1:37746] * call_user_func_array("login_submit", array(size 2)) at /var/www/html/mahara-clients/docroot/htdocs/lib/pieforms/pieform.php:537, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324323 2016] [:error] [pid 11] [client 172.17.0.1:37746] * Pieform->__construct(array(size 9)) at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:505, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324331 2016] [:error] [pid 11] [client 172.17.0.1:37746] * auth_setup() at /var/www/html/mahara-clients/docroot/htdocs/init.php:408, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324338 2016] [:error] [pid 11] [client 172.17.0.1:37746] * require("/var/www/html/mahara-clients/docroot/htdocs/init.p...") at /var/www/html/mahara-clients/docroot/htdocs/index.php:16, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.324345 2016] [:error] [pid 11] [client 172.17.0.1:37746] , referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326490 2016] [:error] [pid 11] [client 172.17.0.1:37746] [WAR] a2 (auth/ldap/lib.php:200) LDAP connection failed: ldaps://rodc1.eggs.school.nz/ou=school,DC=eggs,DC=school,DC=nz, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326518 2016] [:error] [pid 11] [client 172.17.0.1:37746] Call stack (most recent first):, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326544 2016] [:error] [pid 11] [client 172.17.0.1:37746] * log_message("LDAP connection failed: ldaps://rodc1.eggs.school....", 8, true, true) at /var/www/html/mahara-clients/docroot/htdocs/lib/errors.php:97, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326553 2016] [:error] [pid 11] [client 172.17.0.1:37746] * log_warn("LDAP connection failed: ldaps://rodc1.eggs.school....") at /var/www/html/mahara-clients/docroot/htdocs/auth/ldap/lib.php:200, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326562 2016] [:error] [pid 11] [client 172.17.0.1:37746] * AuthLdap->authenticate_user_account(object(LiveUser), "********") at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:1500, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326569 2016] [:error] [pid 11] [client 172.17.0.1:37746] * login_submit(object(Pieform), array(size 6)) at Unknown:0, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326576 2016] [:error] [pid 11] [client 172.17.0.1:37746] * call_user_func_array("login_submit", array(size 2)) at /var/www/html/mahara-clients/docroot/htdocs/lib/pieforms/pieform.php:537, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326585 2016] [:error] [pid 11] [client 172.17.0.1:37746] * Pieform->__construct(array(size 9)) at /var/www/html/mahara-clients/docroot/htdocs/auth/lib.php:505, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326593 2016] [:error] [pid 11] [client 172.17.0.1:37746] * auth_setup() at /var/www/html/mahara-clients/docroot/htdocs/init.php:408, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326600 2016] [:error] [pid 11] [client 172.17.0.1:37746] * require("/var/www/html/mahara-clients/docroot/htdocs/init.p...") at /var/www/html/mahara-clients/docroot/htdocs/index.php:16, referer: http://localhost/mahara-clients/docroot/htdocs/
[Mon Jan 25 21:00:44.326608 2016] [:error] [pid 11] [client 172.17.0.1:37746] , referer: http://localhost/mahara-clients/docroot/htdocs/
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1537908/+subscriptions
References
