Re: CVE-2016-2313 fix wrong
On 28/07/16 13:35, Matus UHLAR - fantomas wrote:
> Hello,
>
> i believe the fix for CVE-2016-2313 in
> CVE-2016-2313-authentication-bypass.patch is invalid.
>
> Quoting the authorization settings:
>
> Web Basic Authentication - Authentication is handled by the web server.
> Users can be added or created automatically on first login if the Template
> User is defined, otherwise the defined guest permissions will be used.
> this patch makes authentication fail when the template user is not set, but
> the guest user is set, while in such case guest user should be used.
>
> Unfortunely the original bug report does not have fix for this, and the last
> comment says:
>
> "
> (0007083)
> cigamit (developer)
> 2016-03-06 11:01
>
> agree and it's been re-fixed in 1.0. Will backport shortly. "
>
>
> I believe that the patch could be fixed simply by changing the test from:
>
>
> + if (!$user && read_config_option('user_template') == '0') {
>
> to something like:
>
> + if (!$user && read_config_option('user_template') == '0' &&
> read_config_option('guest_user') == '0') {
>
> and of course the error messages:
>
> + cacti_log("ERROR: User '" . $username . "' authenticated
> by Web Server, but a Template User is not defined in Cacti. Exiting.", false,
> 'AUTH');
> + $username = htmlspecialchars($username);
> + auth_display_custom_error_message("$username
> authenticated by Web Server, but a Template User is not defined in Cacti.");
>
> to:
>
> + cacti_log("ERROR: User '" . $username . "' authenticated
> by Web Server, but a Template User and a Guest User are not defined in Cacti.
> Exiting.", false, 'AUTH');
> + $username = htmlspecialchars($username);
> + auth_display_custom_error_message("$username
> authenticated by Web Server, but a Template User and a Guest User are not
> defined in Cacti.");
>
> this seems to work on our cacti installation.
Thanks for the report. I'll look at it later today.
Cheers,
Emilio
Reply to: