Ticket #47308 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

unintended information exposure when anonymous access is set to rootdse

Reported by: nkinder Owned by: nhosoi
Priority: major Milestone:
Component: Directory Server Version:
Keywords: Cc:
Blocked By: Blocking:
Review: ack Ticket origin: IPA
Red Hat Bugzilla: 923240 928105


When nsslapd-allow-anonymous-access is set to "rootdse", I would expect DS to
return only rootDSE entry to anonymous user. But it returns any LDAP entry as
with enabled anonymous access if the search is done with scope set to BASE. ACIs still apply, so anonymous users would only be able to see data that is explicitly granted anonymous access by an ACI.

Steps to Reproduce:

  1. Set nsslapd-allow-anonymous-access in cn=config to "rootdse"
  2. Try to get an entry with scope=BASE as anonymous user

Actual results:
Entry is returned

Expected results:
Access is rejected.

This issue has been assigned CVE-2013-1897.


0001-Ticket-47308-unintended-information-exposure-when-an.patch (1.5 KB) - added by nhosoi 4 years ago.
git patch file (master)

Change History

comment:1 Changed 4 years ago by nkinder

  • Ticket origin changed from Community to IPA
  • screened changed from 0 to 1

comment:2 Changed 4 years ago by nhosoi

Bug description: The actual search base was not being checked
at all. There was a check for the search base when this feature
was initially implemented, but it was inadvertently removed when
changes were made to reduce the DN normalization throughout the
source tree (commit f6397113666f06848412bb12f754f04258cfa5fa).

Fix description: This patch adds the search base check back.

Changed 4 years ago by nhosoi

git patch file (master)

comment:3 Changed 4 years ago by nhosoi

  • Owner set to nhosoi
  • Status changed from new to assigned

comment:4 Changed 4 years ago by nhosoi

  • Review changed from Needs Review to review?

comment:5 Changed 4 years ago by mreynolds

  • Review changed from review? to ack

comment:6 Changed 4 years ago by nhosoi

  • Status changed from assigned to closed
  • Resolution set to fixed

Reviewed by Rich, Noriko and Mark.

Pushed to master: commit 4b2d700b77c1d4a0a2ad6592e2296068a200cbdd
Pushed to 389-ds-base-1.3.0: commit b1feced4e4d0d6798f7f1f94d4cd1c12af99d651
Pushed to 389-ds-base-1.2.11: commit 5a18c828533a670e7143327893f8171a19062286

comment:7 Changed 4 years ago by nhosoi

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] to [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] [https://bugzilla.redhat.com/show_bug.cgi?id=928159 928159]

comment:8 Changed 4 years ago by nkinder

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] [https://bugzilla.redhat.com/show_bug.cgi?id=928159 928159] to [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] [https://bugzilla.redhat.com/show_bug.cgi?id=928105 928105]
Note: See TracTickets for help on using tickets.