Report forwarded
to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>: Bug#529344; Package ocsinventory-reports.
(Mon, 18 May 2009 19:30:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Will Aoki <waoki@umnh.utah.edu>:
New Bug report received and forwarded. Copy sent to Pierre Chifflier <pollux@debian.org>.
(Mon, 18 May 2009 19:30:10 GMT) (full text, mbox, link).
Subject: ocsinventory-reports: Different errors for bad username and for
valid username with bad password
Date: Mon, 18 May 2009 13:25:30 -0600
Package: ocsinventory-reports
Version: 1.01-6
Severity: normal
Tags: security
The OCS Inventory web interface returns one error if one enters an
invalid username but a different error if one enters a valid username
with an invalid password -- in the English translation, the messages are
"User not registered" and "Password error". This type of behavior is
generally considered a problem because it permits an attacker to
determine whether usernames are valid.
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ocsinventory-reports depends on:
ii apache2 2.2.9-10+lenny2 Apache HTTP Server metapackage
ii apache2-mpm-prefor 2.2.9-10+lenny2 Apache HTTP Server - traditional n
ii dbconfig-common 1.8.39 common framework for packaging dat
ii debconf [debconf-2 1.5.24 Debian configuration management sy
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-mysql 5.2.6.dfsg.1-1+lenny3 MySQL module for php5
ii ucf 3.0016 Update Configuration File: preserv
Versions of packages ocsinventory-reports recommends:
ii libdbd-mysql-perl 4.007-1 A Perl5 database interface to the
ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu
ii libnet-ip-perl 1.25-2 Perl extension for manipulating IP
ii libxml-simple-perl 2.18-1 Perl module for reading and writin
ii nmap 4.62-1 The Network Mapper
ii ocsinventory-serve 1.01-6 Hardware and software inventory to
ii php5-gd 5.2.6.dfsg.1-1+lenny3 GD module for php5
ii samba-common 2:3.2.5-4lenny2 Samba common files used by both th
ocsinventory-reports suggests no packages.
-- debconf information excluded
Information forwarded
to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>: Bug#529344; Package ocsinventory-reports.
(Mon, 18 May 2009 20:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Pierre Chifflier <p.chifflier@inl.fr>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>.
(Mon, 18 May 2009 20:54:06 GMT) (full text, mbox, link).
To: Will Aoki <waoki@umnh.utah.edu>, 529344@bugs.debian.org
Subject: Re: Bug#529344: ocsinventory-reports: Different errors for bad
username and for valid username with bad password
Date: Mon, 18 May 2009 22:48:19 +0200
On Mon, May 18, 2009 at 01:25:30PM -0600, Will Aoki wrote:
> Package: ocsinventory-reports
> Version: 1.01-6
> Severity: normal
> Tags: security
>
> The OCS Inventory web interface returns one error if one enters an
> invalid username but a different error if one enters a valid username
> with an invalid password -- in the English translation, the messages are
> "User not registered" and "Password error". This type of behavior is
> generally considered a problem because it permits an attacker to
> determine whether usernames are valid.
>
Hi,
Yes, this can eventually lead to finding whether an user is valid or
not. You'll also discover that the admin user is .. admin !
Seriously, while I agree on what you say, the tag 'security' seems a bit
strong to me. Especially given that the README.Debian advises to give
access even to the login window only to authenticated users (Apache
auth, for ex).
Cheers,
Pierre
Reply sent
to Pierre Chifflier <pollux@debian.org>:
You have taken responsibility.
(Mon, 01 Jun 2009 10:06:14 GMT) (full text, mbox, link).
Notification sent
to Will Aoki <waoki@umnh.utah.edu>:
Bug acknowledged by developer.
(Mon, 01 Jun 2009 10:06:14 GMT) (full text, mbox, link).
Subject: Bug#529344: fixed in ocsinventory-server 1.02.1-1
Date: Mon, 01 Jun 2009 09:23:41 +0000
Source: ocsinventory-server
Source-Version: 1.02.1-1
We believe that the bug you reported is fixed in the latest version of
ocsinventory-server, which is due to be installed in the Debian FTP archive:
ocsinventory-reports_1.02.1-1_all.deb
to pool/main/o/ocsinventory-server/ocsinventory-reports_1.02.1-1_all.deb
ocsinventory-server_1.02.1-1.diff.gz
to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1-1.diff.gz
ocsinventory-server_1.02.1-1.dsc
to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1-1.dsc
ocsinventory-server_1.02.1-1_all.deb
to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1-1_all.deb
ocsinventory-server_1.02.1.orig.tar.gz
to pool/main/o/ocsinventory-server/ocsinventory-server_1.02.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 529344@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Chifflier <pollux@debian.org> (supplier of updated ocsinventory-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 01 Jun 2009 10:39:03 +0200
Source: ocsinventory-server
Binary: ocsinventory-server ocsinventory-reports
Architecture: source all
Version: 1.02.1-1
Distribution: unstable
Urgency: low
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Pierre Chifflier <pollux@debian.org>
Description:
ocsinventory-reports - Hardware and software inventory tool (Administration Console)
ocsinventory-server - Hardware and software inventory tool (Communication Server)
Closes: 512660529344529409529608
Changes:
ocsinventory-server (1.02.1-1) unstable; urgency=low
.
* New Upstream Version (Closes: #529409):
- Some security fixes
- Use the same error for wrong user or wrong password (Closes: #529344)
* Fix name of upstream tgz in watch file (Closes: #529608)
* Upload to unstable:
- The SQL table is fully created by dbconfig-common (Closes: #512660)
Checksums-Sha1:
327d5eb544b5e9c8fce907a7313dae37f4f3a3cb 1184 ocsinventory-server_1.02.1-1.dsc
f1387d4993ad7cd887d52f6d945110b209711fb5 1488981 ocsinventory-server_1.02.1.orig.tar.gz
fc507e0534c0bacc046f6fdb67c0c507401877d1 27439 ocsinventory-server_1.02.1-1.diff.gz
428c5d08c591bb64d0fff7268896b974eddb1033 74014 ocsinventory-server_1.02.1-1_all.deb
78e463b1f2fa26ad1a962a2c29f2c180e0363dd6 1412620 ocsinventory-reports_1.02.1-1_all.deb
Checksums-Sha256:
e3f5ad9ed49f8059f5f80db33e4ed22a5da77181266eba65de2e51d31a025b1f 1184 ocsinventory-server_1.02.1-1.dsc
4fcea18ff0955b57064dfd9cfe3333ee7876c08bd0221381509c7c2aaa9c5699 1488981 ocsinventory-server_1.02.1.orig.tar.gz
9dda1bece4f5f4c521d86dde83981898fe9953236e599bfd54511fb9fa670c2c 27439 ocsinventory-server_1.02.1-1.diff.gz
da9c46c1e576afd3d01ee6567286d4eb2272cd44b298016e72f5dc0793c0e1a9 74014 ocsinventory-server_1.02.1-1_all.deb
56b01a284198c578e8ad62a409197429dd7a546ad534d8c47960e79fbede2811 1412620 ocsinventory-reports_1.02.1-1_all.deb
Files:
8a95299d21f7811e905b7cecdfb0e2f0 1184 web extra ocsinventory-server_1.02.1-1.dsc
8242146491fbaf84df02ebdfab93fe28 1488981 web extra ocsinventory-server_1.02.1.orig.tar.gz
e00c8ce9dc28d5ae48c0badb3383154f 27439 web extra ocsinventory-server_1.02.1-1.diff.gz
acbb8530481e6d3441b89fa15d34457e 74014 web extra ocsinventory-server_1.02.1-1_all.deb
a9972a1e49b25279d814a506c5a86bb8 1412620 web extra ocsinventory-reports_1.02.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKI5cVtwVrWo1fQMsRAsiPAKCusVmUq8PfEVUUxfroybfjdDd6JwCgwpIp
L+aOK6h/3MdgeVkGd7+rTCA=
=4dBA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Jul 2009 07:31:08 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.