CVE-2016-2313 fix wrong
Hello,
i believe the fix for CVE-2016-2313 in
CVE-2016-2313-authentication-bypass.patch is invalid.
Quoting the authorization settings:
Web Basic Authentication - Authentication is handled by the web server.
Users can be added or created automatically on first login if the Template
User is defined, otherwise the defined guest permissions will be used.
this patch makes authentication fail when the template user is not set, but
the guest user is set, while in such case guest user should be used.
Unfortunely the original bug report does not have fix for this, and the last
comment says:
"
(0007083)
cigamit (developer)
2016-03-06 11:01
agree and it's been re-fixed in 1.0. Will backport shortly.
"
I believe that the patch could be fixed simply by changing the test from:
+ if (!$user && read_config_option('user_template') == '0') {
to something like:
+ if (!$user && read_config_option('user_template') == '0' && read_config_option('guest_user') == '0') {
and of course the error messages:
+ cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti. Exiting.", false, 'AUTH');
+ $username = htmlspecialchars($username);
+ auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
to:
+ cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User and a Guest User are not defined in Cacti. Exiting.", false, 'AUTH');
+ $username = htmlspecialchars($username);
+ auth_display_custom_error_message("$username authenticated by Web Server, but a Template User and a Guest User are not defined in Cacti.");
this seems to work on our cacti installation.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
Reply to: