Ticket #47308 (closed defect: fixed)

Opened 13 months ago

Last modified 13 months ago

unintended information exposure when anonymous access is set to rootdse

Reported by: nkinder Owned by: nhosoi
Priority: major Milestone:
Component: Directory Server Version:
Keywords: Cc:
Blocked By: Blocking:
Review: ack Ticket origin: IPA
Red Hat Bugzilla: 923240 928105


When nsslapd-allow-anonymous-access is set to "rootdse", I would expect DS to
return only rootDSE entry to anonymous user. But it returns any LDAP entry as
with enabled anonymous access if the search is done with scope set to BASE. ACIs still apply, so anonymous users would only be able to see data that is explicitly granted anonymous access by an ACI.

Steps to Reproduce:

  1. Set nsslapd-allow-anonymous-access in cn=config to "rootdse"
  2. Try to get an entry with scope=BASE as anonymous user

Actual results:
Entry is returned

Expected results:
Access is rejected.

This issue has been assigned CVE-2013-1897.


0001-Ticket-47308-unintended-information-exposure-when-an.patch (1.5 KB) - added by nhosoi 13 months ago.
git patch file (master)

Change History

comment:1 Changed 13 months ago by nkinder

  • Ticket origin changed from Community to IPA
  • screened changed from 0 to 1

comment:2 Changed 13 months ago by nhosoi

Bug description: The actual search base was not being checked
at all. There was a check for the search base when this feature
was initially implemented, but it was inadvertently removed when
changes were made to reduce the DN normalization throughout the
source tree (commit f6397113666f06848412bb12f754f04258cfa5fa).

Fix description: This patch adds the search base check back.

Changed 13 months ago by nhosoi

git patch file (master)

comment:3 Changed 13 months ago by nhosoi

  • Owner set to nhosoi
  • Status changed from new to assigned

comment:4 Changed 13 months ago by nhosoi

  • Review changed from Needs Review to review?

comment:5 Changed 13 months ago by mreynolds

  • Review changed from review? to ack

comment:6 Changed 13 months ago by nhosoi

  • Status changed from assigned to closed
  • Resolution set to fixed

Reviewed by Rich, Noriko and Mark.

Pushed to master: commit 4b2d700b77c1d4a0a2ad6592e2296068a200cbdd
Pushed to 389-ds-base-1.3.0: commit b1feced4e4d0d6798f7f1f94d4cd1c12af99d651
Pushed to 389-ds-base-1.2.11: commit 5a18c828533a670e7143327893f8171a19062286

comment:7 Changed 13 months ago by nhosoi

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] to [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] [https://bugzilla.redhat.com/show_bug.cgi?id=928159 928159]

comment:8 Changed 13 months ago by nkinder

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] [https://bugzilla.redhat.com/show_bug.cgi?id=928159 928159] to [https://bugzilla.redhat.com/show_bug.cgi?id=923240 923240] [https://bugzilla.redhat.com/show_bug.cgi?id=928105 928105]
Note: See TracTickets for help on using tickets.