potential security issues, user name from external authentication is mangled up
Issue copied from GitHub AWL issue 1 submitted by calestyo:
This is from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703139
In inc/Session.php, there is the function _CheckLogin(), which at some point includes about this:
if ( is_array($c->authenticate_hook['server_auth_type']) ) {
if ( in_array( strtolower($_SERVER['AUTH_TYPE']), array_map('strtolower', $c->authenticate_hook['server_auth_type']) )) {
if (isset($_SERVER["REMOTE_USER"]))
$this->Login($_SERVER['REMOTE_USER'], "", true); // Password will not be checked.
else
$this->Login($_SERVER['REDIRECT_REMOTE_USER'], "", true); // Password will not be checked.
}
}
else if ( strtolower($c->authenticate_hook['server_auth_type']) == strtolower($_SERVER['AUTH_TYPE']) ) {
/**
* Perhaps this 'split' is not a good idea though. People may want to use the
* full ID as the username. A further option may be desirable.
*/
if (isset($_SERVER["REMOTE_USER"]))
list($username) = explode('@', $_SERVER['REMOTE_USER']);
else
list($username) = explode('@', $_SERVER['REDIRECT_REMOTE_USER']);
$this->Login($username, "", true); // Password will not be checked.
}a) First it's already questionable why the array case is handled differently because AFAIU,... when server_auth_type is an array that means just that more auth methods are tried...
b) But more cirtical is the explode... and that everything behind an "@" (including that) is split of from REMOTE_USER (or REDIRECT_REMOTE_USER). I guess the idea is to take only the "foo" in usernames of the form "foo@bar.org".. but this is IMHO a security issue. Given that Davical can serve many vhosts/domains from one and the same DB. there might be different users like foo@bar.com and foo@bar.org ... but now.... these get "mapped" to the same davical username.
Solution... don't to the explode.... or will this have any side effects?!
Cheers, Chris.
calestyo also commented that the pull request in GitHub AWL issue 2 would fix the problem.