Debian Bug report logs - #529344
ocsinventory-reports: Different errors for bad username and for valid username with bad password

version graph

Package: ocsinventory-reports; Maintainer for ocsinventory-reports is Pierre Chifflier <pollux@debian.org>; Source for ocsinventory-reports is src:ocsinventory-server.

Reported by: Will Aoki <waoki@umnh.utah.edu>

Date: Mon, 18 May 2009 19:30:08 UTC

Severity: normal

Tags: security

Found in version ocsinventory-server/1.01-6

Fixed in version ocsinventory-server/1.02.1-1

Done: Pierre Chifflier <pollux@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#529344; Package ocsinventory-reports. (Mon, 18 May 2009 19:30:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Will Aoki <waoki@umnh.utah.edu>:
New Bug report received and forwarded. Copy sent to Pierre Chifflier <pollux@debian.org>. (Mon, 18 May 2009 19:30:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Will Aoki <waoki@umnh.utah.edu>
To: submit@bugs.debian.org
Subject: ocsinventory-reports: Different errors for bad username and for valid username with bad password
Date: Mon, 18 May 2009 13:25:30 -0600
Package: ocsinventory-reports
Version: 1.01-6
Severity: normal
Tags: security

The OCS Inventory web interface returns one error if one enters an
invalid username but a different error if one enters a valid username
with an invalid password -- in the English translation, the messages are
"User not registered" and "Password error". This type of behavior is
generally considered a problem because it permits an attacker to
determine whether usernames are valid.

-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ocsinventory-reports depends on:
ii  apache2            2.2.9-10+lenny2       Apache HTTP Server metapackage
ii  apache2-mpm-prefor 2.2.9-10+lenny2       Apache HTTP Server - traditional n
ii  dbconfig-common    1.8.39                common framework for packaging dat
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii  php5               5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii  php5-mysql         5.2.6.dfsg.1-1+lenny3 MySQL module for php5
ii  ucf                3.0016                Update Configuration File: preserv

Versions of packages ocsinventory-reports recommends:
ii  libdbd-mysql-perl  4.007-1               A Perl5 database interface to the 
ii  libdbi-perl        1.605-1               Perl5 database interface by Tim Bu
ii  libnet-ip-perl     1.25-2                Perl extension for manipulating IP
ii  libxml-simple-perl 2.18-1                Perl module for reading and writin
ii  nmap               4.62-1                The Network Mapper
ii  ocsinventory-serve 1.01-6                Hardware and software inventory to
ii  php5-gd            5.2.6.dfsg.1-1+lenny3 GD module for php5
ii  samba-common       2:3.2.5-4lenny2       Samba common files used by both th

ocsinventory-reports suggests no packages.

-- debconf information excluded





Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#529344; Package ocsinventory-reports. (Mon, 18 May 2009 20:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Chifflier <p.chifflier@inl.fr>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Mon, 18 May 2009 20:54:06 GMT) Full text and rfc822 format available.

Message #10 received at 529344@bugs.debian.org (full text, mbox):

From: Pierre Chifflier <p.chifflier@inl.fr>
To: Will Aoki <waoki@umnh.utah.edu>, 529344@bugs.debian.org
Subject: Re: Bug#529344: ocsinventory-reports: Different errors for bad username and for valid username with bad password
Date: Mon, 18 May 2009 22:48:19 +0200
On Mon, May 18, 2009 at 01:25:30PM -0600, Will Aoki wrote:
> Package: ocsinventory-reports
> Version: 1.01-6
> Severity: normal
> Tags: security
> 
> The OCS Inventory web interface returns one error if one enters an
> invalid username but a different error if one enters a valid username
> with an invalid password -- in the English translation, the messages are
> "User not registered" and "Password error". This type of behavior is
> generally considered a problem because it permits an attacker to
> determine whether usernames are valid.
> 

Hi,

Yes, this can eventually lead to finding whether an user is valid or
not. You'll also discover that the admin user is .. admin !

Seriously, while I agree on what you say, the tag 'security' seems a bit
strong to me. Especially given that the README.Debian advises to give
access even to the login window only to authenticated users (Apache
auth, for ex).

Cheers,
Pierre





Reply sent to Pierre Chifflier <pollux@debian.org>:
You have taken responsibility. (Mon, 01 Jun 2009 10:06:14 GMT) Full text and rfc822 format available.

Notification sent to Will Aoki <waoki@umnh.utah.edu>:
Bug acknowledged by developer. (Mon, 01 Jun 2009 10:06:14 GMT) Full text and rfc822 format available.

Message #15 received at 529344-close@bugs.debian.org (full text, mbox):

From: Pierre Chifflier <pollux@debian.org>
To: 529344-close@bugs.debian.org
Subject: Bug#529344: fixed in ocsinventory-server 1.02.1-1
Date: Mon, 01 Jun 2009 09:23:41 +0000
Source: ocsinventory-server
Source-Version: 1.02.1-1

We believe that the bug you reported is fixed in the latest version of
ocsinventory-server, which is due to be installed in the Debian FTP archive:

ocsinventory-reports_1.02.1-1_all.deb
  to pool/main/o/ocsinventory-server/ocsinventory-reports_1.02.1-1_all.deb
ocsinventory-server_1.02.1-1.diff.gz
  to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1-1.diff.gz
ocsinventory-server_1.02.1-1.dsc
  to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1-1.dsc
ocsinventory-server_1.02.1-1_all.deb
  to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1-1_all.deb
ocsinventory-server_1.02.1.orig.tar.gz
  to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529344@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier <pollux@debian.org> (supplier of updated ocsinventory-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Jun 2009 10:39:03 +0200
Source: ocsinventory-server
Binary: ocsinventory-server ocsinventory-reports
Architecture: source all
Version: 1.02.1-1
Distribution: unstable
Urgency: low
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Pierre Chifflier <pollux@debian.org>
Description: 
 ocsinventory-reports - Hardware and software inventory tool (Administration Console)
 ocsinventory-server - Hardware and software inventory tool (Communication Server)
Closes: 512660 529344 529409 529608
Changes: 
 ocsinventory-server (1.02.1-1) unstable; urgency=low
 .
   * New Upstream Version (Closes: #529409):
     - Some security fixes
     - Use the same error for wrong user or wrong password (Closes: #529344)
   * Fix name of upstream tgz in watch file (Closes: #529608)
   * Upload to unstable:
     - The SQL table is fully created by dbconfig-common (Closes: #512660)
Checksums-Sha1: 
 327d5eb544b5e9c8fce907a7313dae37f4f3a3cb 1184 ocsinventory-server_1.02.1-1.dsc
 f1387d4993ad7cd887d52f6d945110b209711fb5 1488981 ocsinventory-server_1.02.1.orig.tar.gz
 fc507e0534c0bacc046f6fdb67c0c507401877d1 27439 ocsinventory-server_1.02.1-1.diff.gz
 428c5d08c591bb64d0fff7268896b974eddb1033 74014 ocsinventory-server_1.02.1-1_all.deb
 78e463b1f2fa26ad1a962a2c29f2c180e0363dd6 1412620 ocsinventory-reports_1.02.1-1_all.deb
Checksums-Sha256: 
 e3f5ad9ed49f8059f5f80db33e4ed22a5da77181266eba65de2e51d31a025b1f 1184 ocsinventory-server_1.02.1-1.dsc
 4fcea18ff0955b57064dfd9cfe3333ee7876c08bd0221381509c7c2aaa9c5699 1488981 ocsinventory-server_1.02.1.orig.tar.gz
 9dda1bece4f5f4c521d86dde83981898fe9953236e599bfd54511fb9fa670c2c 27439 ocsinventory-server_1.02.1-1.diff.gz
 da9c46c1e576afd3d01ee6567286d4eb2272cd44b298016e72f5dc0793c0e1a9 74014 ocsinventory-server_1.02.1-1_all.deb
 56b01a284198c578e8ad62a409197429dd7a546ad534d8c47960e79fbede2811 1412620 ocsinventory-reports_1.02.1-1_all.deb
Files: 
 8a95299d21f7811e905b7cecdfb0e2f0 1184 web extra ocsinventory-server_1.02.1-1.dsc
 8242146491fbaf84df02ebdfab93fe28 1488981 web extra ocsinventory-server_1.02.1.orig.tar.gz
 e00c8ce9dc28d5ae48c0badb3383154f 27439 web extra ocsinventory-server_1.02.1-1.diff.gz
 acbb8530481e6d3441b89fa15d34457e 74014 web extra ocsinventory-server_1.02.1-1_all.deb
 a9972a1e49b25279d814a506c5a86bb8 1412620 web extra ocsinventory-reports_1.02.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKI5cVtwVrWo1fQMsRAsiPAKCusVmUq8PfEVUUxfroybfjdDd6JwCgwpIp
L+aOK6h/3MdgeVkGd7+rTCA=
=4dBA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Jul 2009 07:31:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:06:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.