[Secure-testing-team] Bug#483770: ikiwiki openid + passwordauth empty password security hole

[Joey Hess]

Package: ikiwiki
Version: 1.34
Severity: grave
Tags: security patch

I'm unhappy to report a nasty security hole in ikiwiki. If both openid
and passwordauth plugins are enabled (the default configuration), anyone
can log in as any openid that has previously logged into the wiki and
does not have a password set.

The worst possible impact would be if the wiki admin were configured to
be an openid. Then anyone could log in as the admin and lock pages/ban
users/trash the wiki.


The good news: This does not affect debian stable; the first ikiwiki affected
is 1.34, which is when openid support was added.

Debian testing security team: Could you please get a CVE for this issue?
I'll handle the high-urgency upload to unstable.

Ubuntu security team: Looks like all versions of ikiwiki in all ubuntu
releases except edgy are vulnerable.

Brix: Could you inform the appropriate security people in FreeBSD and
get a fix into there?

Martin: Can you update backports?


The following is a minimal patch against ikiwiki version 1.34 to fix
the issue, should also apply ok to later versions.

diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 1aac17a..0e20055 100644
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -63,6 +63,7 @@ sub formbuilder_setup (@) { #{{{
 					name => "password",
 					validate => sub {
 						length $form->field("name") &&
+						length $_[0] &&
 						shift eq IkiWiki::userinfo_get($form->field("name"), 'password');
 					},
 				);

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080530/ea88b200/attachment.pgp