Skip to content

Commit f1d5d04

Browse files
authored
Merge pull request from GHSA-r387-grjx-qgvw
Fixes
2 parents 8384f77 + 2d685bd commit f1d5d04

20 files changed

+312
-171
lines changed

Diff for: lam-packaging/RPM/lam.apache.conf

+31
Original file line numberDiff line numberDiff line change
@@ -10,23 +10,54 @@ Alias /lam /usr/share/ldap-account-manager
1010

1111
<Directory /var/lib/ldap-account-manager/tmp>
1212
Options -Indexes
13+
<Files ~ ".*\.php.*">
14+
Require all denied
15+
</Files>
16+
<Files ~ ".*\.inc">
17+
Require all denied
18+
</Files>
19+
</Directory>
20+
21+
<Directory /usr/share/ldap-account-manager/tmp>
22+
Options -Indexes
23+
<Files ~ ".*\.php.*">
24+
Require all denied
25+
</Files>
26+
<Files ~ ".*\.inc">
27+
Require all denied
28+
</Files>
1329
</Directory>
1430

1531
<Directory /var/lib/ldap-account-manager/tmp/internal>
1632
Options -Indexes
1733
Require all denied
1834
</Directory>
1935

36+
<Directory /usr/share/ldap-account-manager/tmp/internal>
37+
Options -Indexes
38+
Require all denied
39+
</Directory>
40+
2041
<Directory /var/lib/ldap-account-manager/sess>
2142
Options -Indexes
2243
Require all denied
2344
</Directory>
2445

46+
<Directory /usr/share/ldap-account-manager/sess>
47+
Options -Indexes
48+
Require all denied
49+
</Directory>
50+
2551
<Directory /var/lib/ldap-account-manager/config>
2652
Options -Indexes
2753
Require all denied
2854
</Directory>
2955

56+
<Directory /usr/share/ldap-account-manager/config>
57+
Options -Indexes
58+
Require all denied
59+
</Directory>
60+
3061
<Directory /usr/share/ldap-account-manager/lib>
3162
Options -Indexes
3263
Require all denied

Diff for: lam-packaging/RPM/lam.nginx.conf

+10-5
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,16 @@ location /lam {
33
alias /usr/share/ldap-account-manager;
44
autoindex off;
55

6+
location ~ /lam/tmp/.*\.(php|inc)$ {
7+
deny all;
8+
return 403;
9+
}
10+
11+
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
12+
deny all;
13+
return 403;
14+
}
15+
616
location ~ \.php$ {
717
fastcgi_split_path_info ^(.+\.php)(/.+)$;
818
fastcgi_pass unix:/var/run/php7-fpm.sock;
@@ -11,9 +21,4 @@ location /lam {
1121
fastcgi_param SCRIPT_FILENAME $request_filename;
1222
}
1323

14-
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
15-
deny all;
16-
return 403;
17-
}
18-
1924
}

Diff for: lam-packaging/debian/lam.apache.conf

+31
Original file line numberDiff line numberDiff line change
@@ -10,23 +10,54 @@ Alias /lam /usr/share/ldap-account-manager
1010

1111
<Directory /var/lib/ldap-account-manager/tmp>
1212
Options -Indexes
13+
<Files ~ ".*\.php.*">
14+
Require all denied
15+
</Files>
16+
<Files ~ ".*\.inc">
17+
Require all denied
18+
</Files>
19+
</Directory>
20+
21+
<Directory /usr/share/ldap-account-manager/tmp>
22+
Options -Indexes
23+
<Files ~ ".*\.php.*">
24+
Require all denied
25+
</Files>
26+
<Files ~ ".*\.inc">
27+
Require all denied
28+
</Files>
1329
</Directory>
1430

1531
<Directory /var/lib/ldap-account-manager/tmp/internal>
1632
Options -Indexes
1733
Require all denied
1834
</Directory>
1935

36+
<Directory /usr/share/ldap-account-manager/tmp/internal>
37+
Options -Indexes
38+
Require all denied
39+
</Directory>
40+
2041
<Directory /var/lib/ldap-account-manager/sess>
2142
Options -Indexes
2243
Require all denied
2344
</Directory>
2445

46+
<Directory /usr/share/ldap-account-manager/sess>
47+
Options -Indexes
48+
Require all denied
49+
</Directory>
50+
2551
<Directory /var/lib/ldap-account-manager/config>
2652
Options -Indexes
2753
Require all denied
2854
</Directory>
2955

56+
<Directory /usr/share/ldap-account-manager/config>
57+
Options -Indexes
58+
Require all denied
59+
</Directory>
60+
3061
<Directory /usr/share/ldap-account-manager/lib>
3162
Options -Indexes
3263
Require all denied

Diff for: lam-packaging/debian/lam.nginx.conf

+9-4
Original file line numberDiff line numberDiff line change
@@ -3,15 +3,20 @@ location /lam {
33
alias /usr/share/ldap-account-manager;
44
autoindex off;
55

6-
location ~ \.php$ {
7-
include snippets/fastcgi-php.conf;
8-
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
9-
fastcgi_param SCRIPT_FILENAME $request_filename;
6+
location ~ /lam/tmp/.*\.(php|inc)$ {
7+
deny all;
8+
return 403;
109
}
1110

1211
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
1312
deny all;
1413
return 403;
1514
}
1615

16+
location ~ \.php$ {
17+
include snippets/fastcgi-php.conf;
18+
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
19+
fastcgi_param SCRIPT_FILENAME $request_filename;
20+
}
21+
1722
}

Diff for: lam/HISTORY

+7-2
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
June 2022 8.0
1+
27.06.2022 8.0
22
- PHP 8.1 compatibility
33
- Extended user account status and locking options
44
- Unix: added Gecos to profile editor
@@ -13,11 +13,16 @@ June 2022 8.0
1313
-> Hidden account is displayed (257)
1414
-> Change of RDN failed for OpenLDAP entries
1515
-> Tree view issues with browser auto-completion (176)
16+
-> Unauthenticated Arbitrary Object Instantiation / Unauthenticated Remote Code Execution (GHSA-r387-grjx-qgvw, CVE-2022-31084)
17+
-> Incorrect Default Permissions (GHSA-q8g5-45m4-q95p, CVE-2022-31087)
18+
-> Incorrect Regular Expressions (GHSA-q9pc-x84w-982x, CVE-2022-31086)
19+
-> Unauthenticated LDAP Injection (GHSA-wxf8-9x99-6gp4, CVE-2022-31088)
20+
-> Reflected XSS (Internet Explorer only) (GHSA-6m3q-5c84-6h6j, CVE-2022-31085)
1621

1722

1823
15.04.2022 7.9.1
1924
- Fixed bugs:
20-
-> Security issues in PDF editor and profile editor
25+
-> Security issues in PDF editor and profile editor (GHSA-f2fr-cccr-583v, CVE-2022-24851)
2126

2227

2328
09.03.2022 7.9

Diff for: lam/docs/manual-sources/chapter-configuration.xml

-8
Original file line numberDiff line numberDiff line change
@@ -119,14 +119,6 @@
119119
LAM via an untrusted IP only get blank pages. There is a separate field
120120
for LAM Pro self service.</para>
121121

122-
<para id="sessionEncryption">Session encryption will encrypt sensitive
123-
data like passwords in your session files. This is only available when
124-
PHP <ulink
125-
url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is
126-
active. This adds extra security but also costs performance. If you
127-
manage a large directory you might want to disable this and take other
128-
actions to secure your LAM server.</para>
129-
130122
<screenshot>
131123
<mediaobject>
132124
<imageobject>

Diff for: lam/help/help.inc

-2
Original file line numberDiff line numberDiff line change
@@ -164,8 +164,6 @@ $helpArray = array (
164164
"Text" => _("Here you can specify minimum requirements for passwords. The character classes are: lowercase, uppercase, numeric and symbols.")),
165165
"244" => array ("Headline" => _('PHP error reporting'),
166166
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
167-
"245" => array ("Headline" => _('Encrypt session'),
168-
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')),
169167
"246" => array ("Headline" => _('Number of rules that must match'),
170168
"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
171169
"247" => array ("Headline" => _('Password must not contain user name'),

Diff for: lam/lib/account.inc

+10-20
Original file line numberDiff line numberDiff line change
@@ -176,16 +176,9 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
176176
break;
177177
case 'PBKDF2-SHA512':
178178
$iterations = 200000;
179-
if (function_exists('openssl_pbkdf2')) {
180-
$salt = openssl_random_pseudo_bytes(16);
181-
$hashBinary = openssl_pbkdf2($password, $salt, 64, $iterations, 'sha512');
182-
$hash = "{PBKDF2-SHA512}${iterations}" . '$' . base64_encode($salt) . '$' . base64_encode($hashBinary);
183-
}
184-
else {
185-
$salt = generateSalt(16);
186-
$hashBinary = hex2bin(hash_pbkdf2('sha512', $password, $salt, $iterations));
187-
$hash = "{PBKDF2-SHA512}${iterations}" . '$' . base64_encode($salt) . '$' . base64_encode($hashBinary);
188-
}
179+
$salt = openssl_random_pseudo_bytes(16);
180+
$hashBinary = openssl_pbkdf2($password, $salt, 64, $iterations, 'sha512');
181+
$hash = "{PBKDF2-SHA512}${iterations}" . '$' . base64_encode($salt) . '$' . base64_encode($hashBinary);
189182
break;
190183
case 'MD5':
191184
$hash = "{MD5}" . base64_encode(hex2bin(md5($password)));
@@ -251,11 +244,7 @@ function getHashType(?string $hash): string {
251244
* @return array hash types
252245
*/
253246
function getSupportedHashTypes() {
254-
$hashes = array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY', 'LDAP_EXOP', 'ARGON2ID');
255-
if (function_exists('openssl_pbkdf2') || function_exists('hash_pbkdf2')) {
256-
$hashes[] = 'PBKDF2-SHA512';
257-
}
258-
return $hashes;
247+
return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY', 'LDAP_EXOP', 'ARGON2ID', 'PBKDF2-SHA512');
259248
}
260249

261250
/**
@@ -1576,8 +1565,12 @@ class moduleCache {
15761565
*
15771566
* @param String $name module name
15781567
* @param String $scope module scope (e.g. user)
1568+
* @return null|object module object
15791569
*/
1580-
public static function getModule($name, $scope) {
1570+
public static function getModule($name, $scope): ?object {
1571+
if (!ScopeAndModuleValidation::isValidModuleName($name) || !ScopeAndModuleValidation::isValidScopeName($scope)) {
1572+
return null;
1573+
}
15811574
if (isset(self::$cache[$name . ':' . $scope])) {
15821575
return self::$cache[$name . ':' . $scope];
15831576
}
@@ -1598,10 +1591,7 @@ class moduleCache {
15981591
* @return int random number
15991592
*/
16001593
function getRandomNumber() {
1601-
if (function_exists('openssl_random_pseudo_bytes')) {
1602-
return abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5))));
1603-
}
1604-
return abs(mt_rand());
1594+
return abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5))));
16051595
}
16061596

16071597
/**

Diff for: lam/lib/config.inc

+1-8
Original file line numberDiff line numberDiff line change
@@ -2963,9 +2963,6 @@ class LAMCfgMain {
29632963
/** list of hosts which may access LAM Pro self service */
29642964
public $allowedHostsSelfService;
29652965

2966-
/** session encryption */
2967-
public $encryptSession;
2968-
29692966
/** minimum length for passwords */
29702967
public $passwordMinLength = 0;
29712968

@@ -3062,7 +3059,7 @@ class LAMCfgMain {
30623059
"passwordMinClasses", "passwordMinSymbol", 'checkedRulesCount',
30633060
'passwordMustNotContainUser', 'passwordMustNotContain3Chars',
30643061
'externalPwdCheckUrl',
3065-
'errorReporting', 'encryptSession', 'allowedHostsSelfService',
3062+
'errorReporting', 'allowedHostsSelfService',
30663063
'license', 'licenseEmailFrom', 'licenseEmailTo', 'licenseWarningType', 'licenseEmailDateSent',
30673064
'mailServer', 'mailUser', 'mailPassword', 'mailEncryption', 'configDatabaseType',
30683065
'configDatabaseServer', 'configDatabasePort', 'configDatabaseName', 'configDatabaseUser',
@@ -3094,7 +3091,6 @@ class LAMCfgMain {
30943091
$this->logDestination = "SYSLOG";
30953092
$this->allowedHosts = "";
30963093
$this->allowedHostsSelfService = '';
3097-
$this->encryptSession = 'true';
30983094
try {
30993095
$this->reload();
31003096
} catch (LAMException $e) {
@@ -3370,9 +3366,6 @@ class LAMCfgMain {
33703366
if (!in_array("allowedHostsSelfService", $saved)) {
33713367
array_push($file_array, "allowedHostsSelfService: " . $this->allowedHostsSelfService . "\n");
33723368
}
3373-
if (!in_array("encryptSession", $saved)) {
3374-
array_push($file_array, "encryptSession: " . $this->encryptSession . "\n");
3375-
}
33763369
if (!in_array("passwordMinLength", $saved)) {
33773370
array_push($file_array, "passwordMinLength: " . $this->passwordMinLength . "\n");
33783371
}

0 commit comments

Comments
 (0)