-
-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Very serious security issue on version 2.1.23 #1153
Comments
Thanks for reporting.
LDAP things are not easy for me as I cannot test.
So only serious code review is done.
I think I found a way to get rid of this.
I have committed in "development" branch file sources/identify. Can you
replace it on your test server and tell me if it corrects the point?
Thanks
|
Restarted server and now I can login again, but the first time logon issue persists. When AD users logs on for the first time, Teampass creates an account automatically for them, right? But, as the users don't have any permissions yet, probably the session variables used to store users id, roles, etc are null or blank, and somehow the system lets users in this condition to see all the items. When the user logs on for the second time, the account is already created and the session variables are written correctly (I am guessing). This is way the issue happens only at first login. Maybe there is a way to solve this, denying first time users to log on Teampass. If the account doesn't exists, Teampass creates it and gives a message on login screen informing that the account has been created and asking user to log on again. Sorry if I am guessing to much... just trying to help... |
Any news? |
I think my guess was wrong. I saw you implemented the changes I suggested to block first login and reload the page, but when the new user logs on he still can see all the passwords. Loging off and loging on again and he can see nothing. Same thing then before. Issue continues, unfortunatelly. |
I don't see how it is possible because if the user is new and created I set a variable to true. Can you make me connected to your server with TeamViewer? |
This happens with new users recently create in Active Directory. So, I am sure they don't exists in Teampass DB before the first login. I found another thing today: at first login, user can see all passwords, but if you reload the page (F5), they are gone. It is not necessary to logoff and login again as we were thinking before. |
Images showing sequence of events: Fisrt login: Second Login: After "F5": Notice that after F5 I can see only my personal folder. Also, a strange grey bar appears at the top in all pages for all users. I found there is something in the new version of page "load.php" that is doing that, because when I roolback to version 2.1.24 of that page, the grey bar is gone. |
This happens with me too. I'm using the latest Release 2.1.24 (4) |
Could it be possible for you to perform the next debug things for me (as I cannot reproduce)? In file /sources/tree.php, find
and replace by
Then in file /sources/identify.php, find
and replace by
Can you then run on a new user and send me the debug file /files/_debug.1153.txt? |
Hello, TeamPass 2.1.25 |
@nilsteampassnet - I tried putting your debug info but it's not producing a debug file. This issue is preventing us from using teampass. Any fix for this yet? sources/tree.php:
sources/identify.php:
|
There is sort of a work around, if you enable "Teampass local users only" under LDAP settings. It works as you expect, although the downside is users need to be manually added but will still authenticate via Active Directory. |
Hi there, I'm having the same problem as documented in #1297. |
Can you do the next things?
|
OK it is done. PROCEDURE: RESULT: Get all LDAP params :. Get all ldap params :. Create new adldap object : Server is unavailable After authenticate : Success ldap status : 1 ------------------- duo.debug.txt Identified : new_ldap_account_created Content of data sent 'XRw/V0ZGRkZLz6JCggQN26rRhcxS5LdT76Wk29xNaBZmq3ZEGYqyCsoEki0yV5yx1jenwHZE+nvKQiATxAlB8AdyRyTyLLPLEy0QUmDvgG4LqYtRAg1da9vm+bSDmRwkIndrhineu59yHbgrHbZwieRIqQNqjiFna0XgiOdwFKg7MGgveO8z79oVsNHZZO4mY1Aa7y3m' Identified : Fhepanvki2 Content of data sent 'Fx0/VxsbGxsxUjMcj3RKfK+3os5GId2sr/dpdiWcdEYZHXbuNowlQqBWfBbxS1JJ3uBsPPpP1seu72UgPj9+zDQpxwKiiy0jsDXDfnM85xybXh/CSHWjkrGmBDpvvkdQ8++kCBTZOEJqPBN4rfch9TEYxT5SE6qpBd9ODWzJ+OO4JmmwjdPz2QKHmiE7uYM8ajg/bxpR' Identified : 2PPb5JhQ6F Content of data sent 'UB0/V8TExMRUc13IKWXd21+3lD7vglBz3UiP0d57f3+2du9M+FelCya2VpTqLHuSCpmTIg+9KDnJ00p1U673LYHP/ghuu23NbJ4rHIv8R1fMCPWzlGZchN5RfZw7+czUDiS8hoNefoSmFnJrfC5UTP3vCmVICLn/UVoaufeiSpmoXmyPVnXWKYDDVlF/EGaz4nxstpOp' Identified : new_ldap_account_created Content of data sent 'Zx0/V0dHR0d5Yc1ysuFXRzsnSOoUaOLz3CSmmEinFIa/W7itzVAq8V4JZPjqNItAQdzR52auv+oAighcWwa0f0q7zqQKpCv3f9YcpGkANhgegbOOx6K+sExBihMDt7iumV4TeZzYEYMED5/eSRuIzGhPV+WVnEhTWtbTjvvNeymPUPK/byZM7zmvY9HC5+iuPBJLxSOa' Identified : ar6Tm7TJ3z |
Hi, thx |
This is still a large issue. |
I can't test this as no LDAP system. Please can someone provide access by Teamviwer so that I can debug? |
Given the recent problems with Teamviewer, I would suggest a different solution, but I'm not sure what. Further, I'm trying my hardest to resolve the issue as well, I'll provide code to you if I can resolve the problem. |
With ammyy then? or Skype? |
Those would be better, but regrettably, I can't allow you access to my environment for various reasons. Although, within the next week I may be able to set up a less critical environment for testing that I could allow you access to. |
Hi, |
Are you sure, that TeamPass should create a new account in TP database if new AD / LDAP user logs on? In my case it seems to give just login error and not let the user in, if it doesn't have TP account. |
Do you have "Teampass local users only" set to "no" under LDAP settings? In my setup, I have "yes". |
Finally, I have reached to the problem. Then try to login via LDAP users. You will not see any exiting folders. Thanks. |
It's not a decision of problem: I have folders for all, but I haven't personal folder. this feature need for me and other staff |
Just to highlight workaround:
|
This issue still is present with the latest version of 2.1.27. What is taking so long to fix this bug? Also on version 2.1.27 my MAF with DUO is no longer working. |
Can you please refer to #1530 |
I have also experiancing the same issue on 2.1.27 |
I am using LDAP integration with personal folder option enabled. So, when a user from my domain logs for the first time on Teampass, it creates a Teampass account automatically with no rights and attached to no folders or roles, as desired.
But, this same user can see all the passwords stored in all folders, as the image shows:
When he logs off and logs on for the second time, only the personal folder appears, as desired.
If whe disable "personal folder" option this issue doesn't happen.
This is a very serious security issue and thank God I am in test fase, so it didn't compromise my passwords.
I saw other 2 users complaining about that in other posts. It seems in version 2.1.20 this doesn't happen.
If you are using versions 2.1.21 to 2.1.24 with personal folder enable and LDAP integration, I suggest you make a test and log a domain user on Teampass for the first time and see if it can see all passwords.
The text was updated successfully, but these errors were encountered: