Timo Sirainen
2007-Dec-20 22:38 UTC
[Dovecot-news] Security hole #4: Specific LDAP + auth cache configuration may mix up user logins
Somehow I doubt there are any Dovecot setups left that unknowingly have this problem, but it still counts as a security hole. The possibility to cause this problem exists in Dovecot v1.0.rc11 and later. If you use: 1. passdb ldap with settings: - auth_bind = yes - auth_bind_userdn = no - base containing %variables required for unique user identification, e.g. base = dc=%d,dc=org - pass_filter not containing all %variables required for unique user identification - pass_attrs returning user-specific settings, such as user's home directory 2. userdb prefetch 3. auth_cache_size non-zero (0 is default) If two users with the same password and same pass_filter variables log in within auth_cache_ttl seconds (1h by default), the second user may get logged in with the first user's cached pass_attrs. For example if pass_attrs contained the user's home/mail directory, this would mean that the second user will be accessing the first user's mails. You most likely would have noticed this already by wondering why logins keep failing, unless pass_filter used also some %variables that most of the time uniquely identifies the user. For example %r (remote IP address) or %n (username without domain). You can fix this by upgrading to v1.0.10 (to be released soon), or using this patch: http://hg.dovecot.org/dovecot-1.0/raw-rev/2cedab21cd6d -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://dovecot.org/pipermail/dovecot-news/attachments/20071221/0effe02a/attachment.bin
Geert Hendrickx
2007-Dec-21 10:44 UTC
[Dovecot] Security hole #4: Specific LDAP + auth cache configuration may mix up user logins
On Fri, Dec 21, 2007 at 12:38:12AM +0200, Timo Sirainen wrote:> Somehow I doubt there are any Dovecot setups left that unknowingly have > this problem, but it still counts as a security hole. The possibility to > cause this problem exists in Dovecot v1.0.rc11 and later. > > [...] > > You can fix this by upgrading to v1.0.10 (to be released soon), or using > this patch: http://hg.dovecot.org/dovecot-1.0/raw-rev/2cedab21cd6dIs Dovecot 1.1.x affected as well? Geert -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 478 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20071221/6a7c3035/attachment-0002.bin>