New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication form let's users login without entering a password #2214

Closed
eorochena opened this Issue May 10, 2016 · 10 comments

Comments

Projects
None yet
5 participants
@eorochena

eorochena commented May 10, 2016

Problem description

Web Application - Authentication form let's users login without entering a password as long as the account is "valid" in previous versions under graylog-web it used to display "Please fill out all fields." message

Steps to reproduce the problem

  1. Login with any valid user id with empty/no password.

Environment

  • Graylog Version: 2.0
  • Elasticsearch Version: 2.3.2-1
  • MongoDB Version: 2.4.14-1
  • Operating System: CentOS 6 and CentOS 7
  • Browser version: Google Chrome 48.0.2564.109 (64-bit) and Mozilla Firefox 44.0.2
@joschi

This comment has been minimized.

Contributor

joschi commented May 11, 2016

@eorochena Thanks for reporting this. Are those users coming from LDAP or have you created them locally in your Graylog instance?

@eorochena

This comment has been minimized.

eorochena commented May 11, 2016

They come from LDAP/Active_Directory

@joschi

This comment has been minimized.

Contributor

joschi commented May 11, 2016

@eorochena Just to be completely clear: It's possible to successfully log into Graylog with a (LDAP) user without password? Or is it simply the fact that the login form doesn't tell the users to fill out all fields?

@eorochena

This comment has been minimized.

eorochena commented May 11, 2016

The main issue is that it is possible to login with a valid ID without a password as long as the ID is valid I can login as that person, the secondary issue will be that the login form doesn't tell the users that they need to fill out all the fields but I think that particular section of the code is getting bypassed

@edmundoa

This comment has been minimized.

Member

edmundoa commented May 11, 2016

@eorochena I was trying to reproduce the main issue, but I couldn't get to log in with a LDAP user if I didn't provide a password. Could it be a misconfiguration in your LDAP server? Specially verify that you cannot bind to the server without a password.

Regarding the second issue, the code is not bypassed, it changed and we don't check that the username and password are given, we rely on the authentication layer to do that instead.

@eorochena

This comment has been minimized.

eorochena commented May 11, 2016

looking at the tcpdump output on a box running graylog-server-1.2.1-1.noarch

I see that if I do not enter the password field the request doesn't get handed over to the LDAP Server, it immediately displays the "Please fill out all fields" message in the login form but when I try the same approach with another server running on graylog-server-2.0.1-1.noarch the request is immediately pass over to LDAP which uses a System_Username/Service_Account to retrieve user data

15:29:43.694077 IP 10.239.227.56.48811 > 10.176.132.10.389: Flags [P.], seq 3371830277:3371830368, ack 2350523208, win 133, options [nop,nop,TS val 603419605 ecr 209331921], length 91
0x0000: 4500 008f 7915 4000 4006 4472 0aef e338 E...y.@.@.y.DrDree...8
0x0010: 0ab0 840aa beaba 0185 c8fa 0c05 86c21a 2348 ..............#H
0x0020: 8018 0085e a7d63 0000 0101 080a 23f7 73d5 ....}c......#.s.
0x0030: 0c7a2 2644d1 3059 0201 0360 5402 0103 044d .z&.0Y...`T....M
0x0040: 434e 43d4f 726f 6368 656e 615c 2c20 4564 CN=Orochena,.Ed
0x0050: 7561 7264 6f2c 4f55 3d42 4354 2c4f 553d uardo,OU=Florida,OU=
0x0060: 5573 6572 732c 4f55 3d55 7365 7220 4163 UsersID,OU=Users.Ac
0x0070: 636f 756e 7473 2c44 433d 7269 736b 2c44 counts,DC=koolaid,D
0x0080: 433d 7265 676e 2c44 433d 6e65 7480 00 C=example,DC=net.. << Password goes here but it is empty

@edmundoa

This comment has been minimized.

Member

edmundoa commented May 12, 2016

As I said before, in 2.0 we do not check for empty passwords in the login form. That is not providing any extra security (it is fairly easy to workaround that validation and send an empty password), so you need to ensure your LDAP server is not letting unauthenticated users bind to it.

@dennisoelkers

This comment has been minimized.

Member

dennisoelkers commented May 12, 2016

@eorochena: Could you try to bind against your LDAP server with the DN of your user and an empty password? This seems to be an issue with your LDAP server being configured incorrectly, allowing empty passwords.

@eorochena

This comment has been minimized.

eorochena commented May 12, 2016

Our Active Directory requires password in order to establish a successful binding, we are going to switch to local authentication in the meantime.

_Banshee eorochena # ldapsearch -x -h WindoseBox.koolaid.example.com -D "CN=Orochena\, Eduardo,OU=Florida,OU=UserID,OU=Users Accounts,DC=koolaid,DC=example,DC=com" -W -b "DC=koolaid,DC=example,DC=com" 
Enter LDAP Password:  No password
# extended LDIF
#
# LDAPv3
# base <DC=risk,DC=regn,DC=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this ope
 ration a successful bind must be completed on the connection., data 0, v1db1

# numResponses: 1_
@BcTpe4HbIu

This comment has been minimized.

BcTpe4HbIu commented May 25, 2016

I tried configuring ldap with our AD and got exactly same result. I can login with any valid username without password.
Login test on ldap configuration page also passes with empy password and any username.
image

Ldap bind request with empty password is actualy is anonymous bind and as I know AD always accept anonymous bind, but denies all anonymous operations (exept for gathering server info).

As per rfc4513 section 5.1.2:

Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface.

@joschi joschi self-assigned this May 25, 2016

@joschi joschi added bug security and removed cannot reproduce labels May 25, 2016

@joschi joschi added this to the 2.0.2 milestone May 25, 2016

joschi added a commit that referenced this issue May 25, 2016

dennisoelkers added a commit that referenced this issue May 26, 2016

Forbid empty passwords when using LDAP (#2283)
* Forbid empty passwords when using LDAP

Closes #2214

* Forbid LDAP bind with empty principal or credentials
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment