Very serious security issue on version 2.1.23

[juanfalguera]

I am using LDAP integration with personal folder option enabled. So, when a user from my domain logs for the first time on Teampass, it creates a Teampass account automatically with no rights and attached to no folders or roles, as desired.

But, this same user can see all the passwords stored in all folders, as the image shows:

When he logs off and logs on for the second time, only the personal folder appears, as desired.
If whe disable "personal folder" option this issue doesn't happen.

This is a very serious security issue and thank God I am in test fase, so it didn't compromise my passwords.

I saw other 2 users complaining about that in other posts. It seems in version 2.1.20 this doesn't happen.

If you are using versions 2.1.21 to 2.1.24 with personal folder enable and LDAP integration, I suggest you make a test and log a domain user on Teampass for the first time and see if it can see all passwords.

[nilsteampassnet]

Thanks for reporting. LDAP things are not easy for me as I cannot test. So only serious code review is done. I think I found a way to get rid of this. I have committed in "development" branch file sources/identify. Can you replace it on your test server and tell me if it corrects the point? Thanks

[juanfalguera]

Sorry, it didn't work. Now I get stucked in login page trying to logon with a domain user or admin acount:

[juanfalguera]

Restarted server and now I can login again, but the first time logon issue persists.

When AD users logs on for the first time, Teampass creates an account automatically for them, right? But, as the users don't have any permissions yet, probably the session variables used to store users id, roles, etc are null or blank, and somehow the system lets users in this condition to see all the items.

When the user logs on for the second time, the account is already created and the session variables are written correctly (I am guessing). This is way the issue happens only at first login.

Maybe there is a way to solve this, denying first time users to log on Teampass. If the account doesn't exists, Teampass creates it and gives a message on login screen informing that the account has been created and asking user to log on again.

Sorry if I am guessing to much... just trying to help...

[nilsteampassnet]

Any news?

[juanfalguera]

I think my guess was wrong. I saw you implemented the changes I suggested to block first login and reload the page, but when the new user logs on he still can see all the passwords. Loging off and loging on again and he can see nothing. Same thing then before. Issue continues, unfortunatelly.

[nilsteampassnet]

I don't see how it is possible because if the user is new and created I set a variable to true.
If it is set to true then identification cannot occurs and the page is reloaded.
So the only possibility that the case you are describing appear is that the user already exists in the Teampass DB.

Can you make me connected to your server with TeamViewer?

[juanfalguera]

This happens with new users recently create in Active Directory. So, I am sure they don't exists in Teampass DB before the first login.

I found another thing today: at first login, user can see all passwords, but if you reload the page (F5), they are gone. It is not necessary to logoff and login again as we were thinking before.
I asked my IT Manager to open a Teamviewer connection, but the security policies of our company doesn't allow that. Sorry.

[juanfalguera]

Images showing sequence of events:

Fisrt login:

Second Login:

After "F5":

Notice that after F5 I can see only my personal folder.

Also, a strange grey bar appears at the top in all pages for all users. I found there is something in the new version of page "load.php" that is doing that, because when I roolback to version 2.1.24 of that page, the grey bar is gone.

[Dureaghin]

This happens with me too. I'm using the latest Release 2.1.24 (4)

[nilsteampassnet]

Could it be possible for you to perform the next debug things for me (as I cannot reproduce)?

In file /sources/tree.php, find

    global $ret_json, $listFoldersLimitedKeys, $listRestrictedFoldersForItemsKeys, $tree, $LANG;


    // Be sure that user can only see folders he/she is allowed to

and replace by

    global $ret_json, $listFoldersLimitedKeys, $listRestrictedFoldersForItemsKeys, $tree, $LANG;

    // DEBUG ONLY
    $dbg1153 = fopen($_SESSION['settings']['path_to_files_folder']."/_debug.1153.txt", "a");
    fputs(
        $dbg1153,
        "\n\n-----\n\n".
        "forbiden_pfs : ".print_r($_SESSION['forbiden_pfs'], true)."\n" .
        'groupes_visibles : ' . print_r($_SESSION['groupes_visibles'], true) . "\n" .
        'list_restricted_folders_for_items : ' . print_r($_SESSION['list_restricted_folders_for_items'], true) . "\n" .            
        'listFoldersLimitedKeys : ' . print_r($listFoldersLimitedKeys, true) . "\n" .
        'listRestrictedFoldersForItemsKeys : ' . print_r($listRestrictedFoldersForItemsKeys, true). "\n"
    );

    // Be sure that user can only see folders he/she is allowed to

Then in file /sources/identify.php, find

                $_SESSION['nb_roles'] = 0;

and replace by

                $_SESSION['nb_roles'] = 0;
                $_SESSION['fonction_id'] = 0;

Can you then run on a new user and send me the debug file /files/_debug.1153.txt?

[s0ufiane]

Hello,
I encounter the same bug, the first connecting an AD user, all files are visible and password
you have found a solution to this bug

TeamPass 2.1.25
Thanks

[kcorupe]

@nilsteampassnet - I tried putting your debug info but it's not producing a debug file. This issue is preventing us from using teampass. Any fix for this yet?

sources/tree.php:

global $ret_json, $listFoldersLimitedKeys, $listRestrictedFoldersForItemsKeys, $tree, $LANG;

   // DEBUG ONLY
    $dbg1153 = fopen($_SESSION['settings']['path_to_files_folder']."/_debug.1153.txt", "a");
    fputs(
        $dbg1153,
        "\n\n-----\n\n".
        "forbiden_pfs : ".print_r($_SESSION['forbiden_pfs'], true)."\n" .
        'groupes_visibles : ' . print_r($_SESSION['groupes_visibles'], true) . "\n" .
        'list_restricted_folders_for_items : ' . print_r($_SESSION['list_restricted_folders_for_items'], true) . "\n" .
        'listFoldersLimitedKeys : ' . print_r($listFoldersLimitedKeys, true) . "\n" .
        'listRestrictedFoldersForItemsKeys : ' . print_r($listRestrictedFoldersForItemsKeys, true). "\n"
    );

sources/identify.php:

$_SESSION['nb_roles'] = 0;
$_SESSION['fonction_id'] = 0;

[kcorupe]

There is sort of a work around, if you enable "Teampass local users only" under LDAP settings. It works as you expect, although the downside is users need to be manually added but will still authenticate via Active Directory.

[jhrasko]

Hi there, I'm having the same problem as documented in #1297.
If there is some way I can assist you, just let me know, I'm fully virtualized so I can test literally everything for you. (I'm not very skilled in php but)
Currently we are on TP *26 but if needed I should be to find some snapshot from *25
It is really important for us.
Thank you

[nilsteampassnet]

Can you do the next things?

• open file sources/identify.php
• set variables $debugLdap and $debugDuo to 1
• open file load.php
• search for } else if (data[0].value == "new_ldap_account_created") {
• inside this loop you will see window.location.href="index.php"
• replace by window.location.href="logout.php"
• Make a new try
• provide me the 2 generated files /files/duo.debug.txt and
  /files/ldap.debug.txt

[jhrasko]

OK it is done.
modified like this:
else if (data[0].value == "new_ldap_account_created") {
$("#connection_error").html("'.$LANG['reload_page_after_user_account_creation'].'").show().switchClass("ui-state-error", "ui-state-default");
setTimeout(
function (){
window.location.href="logout.php"
},
3000
);
}

PROCEDURE:
I logged in with non existing user (in TP) test.user (user was still able to see all folders) then I logged in as admin and deleted this user from TP and I tried it again with same result - as you will see in log.

RESULT:
------------------- ldap.debug.txt
!!! note real domain name and server name was changed to AD/examlpedomain.com for security reasons

Get all LDAP params :.
mode : 1
type : windows
base_dn : dc=example,dc=com
search_base :.
bind_dn :.
bind_passwd :.
user_attribute : 0
account_suffix : @example.com
domain_controllers : AD.example.com
use_ssl : 0
use_tls : 1

---

Get all ldap params :.
base_dn : dc=example,dc=com
account_suffix : @example.com
domain_controllers : AD.example.com
use_ssl : 0
use_tls : 1

---

Create new adldap object : Server is unavailable

After authenticate : Success

ldap status : 1

------------------- duo.debug.txt
Content of data sent 'TBw/Vzg4ODh+jwTtdmUxK6VcZBRglBeWvVjBaqGaempK+mR+u1M3xLcb3Pui6Q6CFBSff8OPIo60ShHMnfCugs6Bm1wZPqm4iYFGUpOQjYKMOKavXdENAB6aZFTvF1oRyWFNB5nYTLb2Hh2ySLv1n9aO1ad0vHZ57zs3aLcbPbenVcNTO8DcxMENkOAsOLwaqZ3mIt/+'
Starting authentication of 'test.user'
LDAP status: 1
USer exists: 0
USer exists (confirm): 1
Proceed with Ident: 1

---

Identified : new_ldap_account_created

Content of data sent 'XRw/V0ZGRkZLz6JCggQN26rRhcxS5LdT76Wk29xNaBZmq3ZEGYqyCsoEki0yV5yx1jenwHZE+nvKQiATxAlB8AdyRyTyLLPLEy0QUmDvgG4LqYtRAg1da9vm+bSDmRwkIndrhineu59yHbgrHbZwieRIqQNqjiFna0XgiOdwFKg7MGgveO8z79oVsNHZZO4mY1Aa7y3m'
Starting authentication of 'test.user'
LDAP status: 1
USer exists: 1
USer exists (confirm): 1
Proceed with Ident: 1
User's password verified: 1
User's token: O395tQ.oETmwW7qxki/EZ877KcyJLcIghAeSACpXsH9l1Ie0yS
Preparing to identify the user rights

---

Identified : Fhepanvki2

Content of data sent 'Fx0/VxsbGxsxUjMcj3RKfK+3os5GId2sr/dpdiWcdEYZHXbuNowlQqBWfBbxS1JJ3uBsPPpP1seu72UgPj9+zDQpxwKiiy0jsDXDfnM85xybXh/CSHWjkrGmBDpvvkdQ8++kCBTZOEJqPBN4rfch9TEYxT5SE6qpBd9ODWzJ+OO4JmmwjdPz2QKHmiE7uYM8ajg/bxpR'
Starting authentication of 'admin'
LDAP status: 1
USer exists: 1
USer exists (confirm): 1
Proceed with Ident: 1
User's password verified: 1
User's token: MZxex0dwk2nqAobpQMkfUXjn6yqzjIgTkG6bGPj3G280ZL9iBC
Preparing to identify the user rights

---

Identified : 2PPb5JhQ6F

Content of data sent 'UB0/V8TExMRUc13IKWXd21+3lD7vglBz3UiP0d57f3+2du9M+FelCya2VpTqLHuSCpmTIg+9KDnJ00p1U673LYHP/ghuu23NbJ4rHIv8R1fMCPWzlGZchN5RfZw7+czUDiS8hoNefoSmFnJrfC5UTP3vCmVICLn/UVoaufeiSpmoXmyPVnXWKYDDVlF/EGaz4nxstpOp'
Starting authentication of 'test.user'
LDAP status: 1
USer exists: 0
USer exists (confirm): 1
Proceed with Ident: 1

---

Identified : new_ldap_account_created

Content of data sent 'Zx0/V0dHR0d5Yc1ysuFXRzsnSOoUaOLz3CSmmEinFIa/W7itzVAq8V4JZPjqNItAQdzR52auv+oAighcWwa0f0q7zqQKpCv3f9YcpGkANhgegbOOx6K+sExBihMDt7iumV4TeZzYEYMED5/eSRuIzGhPV+WVnEhTWtbTjvvNeymPUPK/byZM7zmvY9HC5+iuPBJLxSOa'
Starting authentication of 'test.user'
LDAP status: 1
USer exists: 1
USer exists (confirm): 1
Proceed with Ident: 1
User's password verified: 1
User's token: yVikhNTyV10oEOdjImFhgGWdpmy1P0wc7usX2tHpYRMtzumgex
Preparing to identify the user rights

---

Identified : ar6Tm7TJ3z

[ylysak]

Hi,
I have same problem too.
Are any way for fixing it?
Does developer plan to correct it?

thx

[jcboysha]

This is still a large issue.

[nilsteampassnet]

I can't test this as no LDAP system.

Please can someone provide access by Teamviwer so that I can debug?

[jcboysha]

Given the recent problems with Teamviewer, I would suggest a different solution, but I'm not sure what.

Further, I'm trying my hardest to resolve the issue as well, I'll provide code to you if I can resolve the problem.

[nilsteampassnet]

With ammyy then? or Skype?

[jcboysha]

Those would be better, but regrettably, I can't allow you access to my environment for various reasons. Although, within the next week I may be able to set up a less critical environment for testing that I could allow you access to.

[chetanpachare]

Hi,
I have the same Problem.

[tehnotronic]

Are you sure, that TeamPass should create a new account in TP database if new AD / LDAP user logs on? In my case it seems to give just login error and not let the user in, if it doesn't have TP account.

[tehnotronic]

Do you have "Teampass local users only" set to "no" under LDAP settings? In my setup, I have "yes".

[chetanpachare]

Finally, I have reached to the problem.
This problem can be solved by setting the option "Enable Personal folder feature= No " in team pass setting page.

Then try to login via LDAP users. You will not see any exiting folders.

Thanks.

[ylysak]

It's not a decision of problem: I have folders for all, but I haven't personal folder. this feature need for me and other staff

[klou]

#1381

[Qutianer]

Just to highlight workaround:

1. In "LDAP settings" set "Teampass local users only".
2. Precreate account for LDAP users (auth still works via LDAP)
   Very serious security issue on version 2.1.23 #1153 (comment)

[jsandova]

This issue still is present with the latest version of 2.1.27. What is taking so long to fix this bug? Also on version 2.1.27 my MAF with DUO is no longer working.

[nilsteampassnet]

Can you please refer to #1530

[lkiii]

I have also experiancing the same issue on 2.1.27