#2 Auth bug in 1.2/svn

closed-fixed
None
5
2006-12-05
2006-11-19
No

1) Create two test users with different passwords where one name is a
subset of the other (such as test/test, test2/snarfblat). The subset
user is the "attacker"

2) Visit:

login.pl?login=test%002&password=test&action=login

for the testsite.

3) You are now logged in as test2 using user test's password

Discussion

  • Logged In: YES
    user_id=1366720
    Originator: YES

    Looks like postgres considers test\x002 to be the same as the string test and ignores the post-null digit.

    ledgersmb-taxtest=# select '|'||E'foo\x002'||'|' = '|foo|';
    ?column?
    ----------
    t
    (1 row)

     
  • Logged In: YES
    user_id=1585569
    Originator: NO

    I'll fix this, got some changes to LedgerSMB::Session::DB in the works anyway. I'll add a regex to whitelist characters. Here's what I'm thinking: [a-zA-Z0-9._@'-] Am I missing anything?

     
    • assigned_to: nobody --> christopherm
     
  • Chris Travers
    Chris Travers
    2006-12-05

    • status: open --> pending-fixed
     
  • Chris Travers
    Chris Travers
    2006-12-05

    • status: pending-fixed --> closed-fixed
     
  • Chris Travers
    Chris Travers
    2007-10-12

    Logged In: YES
    user_id=80610
    Originator: NO

    Fixed in 1.1.5