[Secure-testing-team] Bug#593466: zope-ldapuserfolder: Fails to check password for emergency user
Jeremy James
jbj at forbidden.co.uk
Wed Aug 18 12:59:05 UTC 2010
Package: zope-ldapuserfolder
Version: 2.9-1
Severity: grave
Tags: security
Justification: user security hole
When an LDAP user folder is enabled, any password is accepted when attempting to log in
as the emergency user (that is, the one defined in the 'access' file using zpasswd.py).
/usr/share/zope/Products/LDAPUserFolder/LDAPUserFolder.py fails to check the password is
correct, leading to the above security issue. Patch should be:
--- LDAPUserFolder.py.orig 2010-08-18 12:58:18.000000000 +0100
+++ LDAPUserFolder.py.fixed 2010-08-18 13:50:22.000000000 +0100
@@ -800,7 +800,7 @@
if not name:
return None
- if super and name == super.getUserName():
+ if super and name == super.getUserName() and super.authenticate(password, request):
user = super
else:
user = self.getUser(name, password)
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages zope-ldapuserfolder depends on:
ii python-ldap 2.3.5-1 An LDAP interface module for Pytho
ii zope-common 0.5.45 common settings and scripts for Zo
ii zope2.9 2.9.6-4etch2 Open Source Web Application Server
zope-ldapuserfolder recommends no packages.
zope-ldapuserfolder suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list