Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-r387-grjx-qgvw
Fixes
  • Loading branch information
gruberroland committed Jun 27, 2022
2 parents 8384f77 + 2d685bd commit f1d5d04
Show file tree
Hide file tree
Showing 20 changed files with 312 additions and 171 deletions.
31 changes: 31 additions & 0 deletions lam-packaging/RPM/lam.apache.conf
Expand Up @@ -10,23 +10,54 @@ Alias /lam /usr/share/ldap-account-manager

<Directory /var/lib/ldap-account-manager/tmp>
Options -Indexes
<Files ~ ".*\.php.*">
Require all denied
</Files>
<Files ~ ".*\.inc">
Require all denied
</Files>
</Directory>

<Directory /usr/share/ldap-account-manager/tmp>
Options -Indexes
<Files ~ ".*\.php.*">
Require all denied
</Files>
<Files ~ ".*\.inc">
Require all denied
</Files>
</Directory>

<Directory /var/lib/ldap-account-manager/tmp/internal>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/tmp/internal>
Options -Indexes
Require all denied
</Directory>

<Directory /var/lib/ldap-account-manager/sess>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/sess>
Options -Indexes
Require all denied
</Directory>

<Directory /var/lib/ldap-account-manager/config>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/config>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/lib>
Options -Indexes
Require all denied
Expand Down
15 changes: 10 additions & 5 deletions lam-packaging/RPM/lam.nginx.conf
Expand Up @@ -3,6 +3,16 @@ location /lam {
alias /usr/share/ldap-account-manager;
autoindex off;

location ~ /lam/tmp/.*\.(php|inc)$ {
deny all;
return 403;
}

location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
deny all;
return 403;
}

location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php7-fpm.sock;
Expand All @@ -11,9 +21,4 @@ location /lam {
fastcgi_param SCRIPT_FILENAME $request_filename;
}

location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
deny all;
return 403;
}

}
31 changes: 31 additions & 0 deletions lam-packaging/debian/lam.apache.conf
Expand Up @@ -10,23 +10,54 @@ Alias /lam /usr/share/ldap-account-manager

<Directory /var/lib/ldap-account-manager/tmp>
Options -Indexes
<Files ~ ".*\.php.*">
Require all denied
</Files>
<Files ~ ".*\.inc">
Require all denied
</Files>
</Directory>

<Directory /usr/share/ldap-account-manager/tmp>
Options -Indexes
<Files ~ ".*\.php.*">
Require all denied
</Files>
<Files ~ ".*\.inc">
Require all denied
</Files>
</Directory>

<Directory /var/lib/ldap-account-manager/tmp/internal>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/tmp/internal>
Options -Indexes
Require all denied
</Directory>

<Directory /var/lib/ldap-account-manager/sess>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/sess>
Options -Indexes
Require all denied
</Directory>

<Directory /var/lib/ldap-account-manager/config>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/config>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/lib>
Options -Indexes
Require all denied
Expand Down
13 changes: 9 additions & 4 deletions lam-packaging/debian/lam.nginx.conf
Expand Up @@ -3,15 +3,20 @@ location /lam {
alias /usr/share/ldap-account-manager;
autoindex off;

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
location ~ /lam/tmp/.*\.(php|inc)$ {
deny all;
return 403;
}

location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
deny all;
return 403;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}

}
9 changes: 7 additions & 2 deletions lam/HISTORY
@@ -1,4 +1,4 @@
June 2022 8.0
27.06.2022 8.0
- PHP 8.1 compatibility
- Extended user account status and locking options
- Unix: added Gecos to profile editor
Expand All @@ -13,11 +13,16 @@ June 2022 8.0
-> Hidden account is displayed (257)
-> Change of RDN failed for OpenLDAP entries
-> Tree view issues with browser auto-completion (176)
-> Unauthenticated Arbitrary Object Instantiation / Unauthenticated Remote Code Execution (GHSA-r387-grjx-qgvw, CVE-2022-31084)
-> Incorrect Default Permissions (GHSA-q8g5-45m4-q95p, CVE-2022-31087)
-> Incorrect Regular Expressions (GHSA-q9pc-x84w-982x, CVE-2022-31086)
-> Unauthenticated LDAP Injection (GHSA-wxf8-9x99-6gp4, CVE-2022-31088)
-> Reflected XSS (Internet Explorer only) (GHSA-6m3q-5c84-6h6j, CVE-2022-31085)


15.04.2022 7.9.1
- Fixed bugs:
-> Security issues in PDF editor and profile editor
-> Security issues in PDF editor and profile editor (GHSA-f2fr-cccr-583v, CVE-2022-24851)


09.03.2022 7.9
Expand Down
8 changes: 0 additions & 8 deletions lam/docs/manual-sources/chapter-configuration.xml
Expand Up @@ -119,14 +119,6 @@
LAM via an untrusted IP only get blank pages. There is a separate field
for LAM Pro self service.</para>

<para id="sessionEncryption">Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when
PHP <ulink
url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is
active. This adds extra security but also costs performance. If you
manage a large directory you might want to disable this and take other
actions to secure your LAM server.</para>

<screenshot>
<mediaobject>
<imageobject>
Expand Down
2 changes: 0 additions & 2 deletions lam/help/help.inc
Expand Up @@ -164,8 +164,6 @@ $helpArray = array (
"Text" => _("Here you can specify minimum requirements for passwords. The character classes are: lowercase, uppercase, numeric and symbols.")),
"244" => array ("Headline" => _('PHP error reporting'),
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
"245" => array ("Headline" => _('Encrypt session'),
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')),
"246" => array ("Headline" => _('Number of rules that must match'),
"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
"247" => array ("Headline" => _('Password must not contain user name'),
Expand Down
30 changes: 10 additions & 20 deletions lam/lib/account.inc
Expand Up @@ -176,16 +176,9 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
break;
case 'PBKDF2-SHA512':
$iterations = 200000;
if (function_exists('openssl_pbkdf2')) {
$salt = openssl_random_pseudo_bytes(16);
$hashBinary = openssl_pbkdf2($password, $salt, 64, $iterations, 'sha512');
$hash = "{PBKDF2-SHA512}${iterations}" . '$' . base64_encode($salt) . '$' . base64_encode($hashBinary);
}
else {
$salt = generateSalt(16);
$hashBinary = hex2bin(hash_pbkdf2('sha512', $password, $salt, $iterations));
$hash = "{PBKDF2-SHA512}${iterations}" . '$' . base64_encode($salt) . '$' . base64_encode($hashBinary);
}
$salt = openssl_random_pseudo_bytes(16);
$hashBinary = openssl_pbkdf2($password, $salt, 64, $iterations, 'sha512');
$hash = "{PBKDF2-SHA512}${iterations}" . '$' . base64_encode($salt) . '$' . base64_encode($hashBinary);
break;
case 'MD5':
$hash = "{MD5}" . base64_encode(hex2bin(md5($password)));
Expand Down Expand Up @@ -251,11 +244,7 @@ function getHashType(?string $hash): string {
* @return array hash types
*/
function getSupportedHashTypes() {
$hashes = array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY', 'LDAP_EXOP', 'ARGON2ID');
if (function_exists('openssl_pbkdf2') || function_exists('hash_pbkdf2')) {
$hashes[] = 'PBKDF2-SHA512';
}
return $hashes;
return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY', 'LDAP_EXOP', 'ARGON2ID', 'PBKDF2-SHA512');
}

/**
Expand Down Expand Up @@ -1576,8 +1565,12 @@ class moduleCache {
*
* @param String $name module name
* @param String $scope module scope (e.g. user)
* @return null|object module object
*/
public static function getModule($name, $scope) {
public static function getModule($name, $scope): ?object {
if (!ScopeAndModuleValidation::isValidModuleName($name) || !ScopeAndModuleValidation::isValidScopeName($scope)) {
return null;
}
if (isset(self::$cache[$name . ':' . $scope])) {
return self::$cache[$name . ':' . $scope];
}
Expand All @@ -1598,10 +1591,7 @@ class moduleCache {
* @return int random number
*/
function getRandomNumber() {
if (function_exists('openssl_random_pseudo_bytes')) {
return abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5))));
}
return abs(mt_rand());
return abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5))));
}

/**
Expand Down
9 changes: 1 addition & 8 deletions lam/lib/config.inc
Expand Up @@ -2963,9 +2963,6 @@ class LAMCfgMain {
/** list of hosts which may access LAM Pro self service */
public $allowedHostsSelfService;

/** session encryption */
public $encryptSession;

/** minimum length for passwords */
public $passwordMinLength = 0;

Expand Down Expand Up @@ -3062,7 +3059,7 @@ class LAMCfgMain {
"passwordMinClasses", "passwordMinSymbol", 'checkedRulesCount',
'passwordMustNotContainUser', 'passwordMustNotContain3Chars',
'externalPwdCheckUrl',
'errorReporting', 'encryptSession', 'allowedHostsSelfService',
'errorReporting', 'allowedHostsSelfService',
'license', 'licenseEmailFrom', 'licenseEmailTo', 'licenseWarningType', 'licenseEmailDateSent',
'mailServer', 'mailUser', 'mailPassword', 'mailEncryption', 'configDatabaseType',
'configDatabaseServer', 'configDatabasePort', 'configDatabaseName', 'configDatabaseUser',
Expand Down Expand Up @@ -3094,7 +3091,6 @@ class LAMCfgMain {
$this->logDestination = "SYSLOG";
$this->allowedHosts = "";
$this->allowedHostsSelfService = '';
$this->encryptSession = 'true';
try {
$this->reload();
} catch (LAMException $e) {
Expand Down Expand Up @@ -3370,9 +3366,6 @@ class LAMCfgMain {
if (!in_array("allowedHostsSelfService", $saved)) {
array_push($file_array, "allowedHostsSelfService: " . $this->allowedHostsSelfService . "\n");
}
if (!in_array("encryptSession", $saved)) {
array_push($file_array, "encryptSession: " . $this->encryptSession . "\n");
}
if (!in_array("passwordMinLength", $saved)) {
array_push($file_array, "passwordMinLength: " . $this->passwordMinLength . "\n");
}
Expand Down

0 comments on commit f1d5d04

Please sign in to comment.