[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy + slapcat = ldif vulnerability?

To: Scott Classen <SClassen@lbl.gov>
Subject: Re: ppolicy + slapcat = ldif vulnerability?
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 4 Dec 2007 15:41:34 +0100
Cc: openldap-software@openldap.org
In-reply-to: <f5fe535c34bd.47541303@lbl.gov>
References: <f5fe535c34bd.47541303@lbl.gov>

Scott Classen writes:
> I'm not sure if this is truly a vulnerability, but I thought I'd put
> it out there for discussion.
> (...)
> When I back up the bdb database via slapcat -l backup.ldif the
> userPassword field looks to be Base64 hashed.
> (...)
> but the passwd history leaves the passwd hashes visible.

If you can get at the base64 representation, you can also base64-decode
it.  However if a userPassword contains a plaintext password and is not
base64-encoded, you can then accidentally display the password for
others to see.  I think that's why userPassword is displayed in base64.

I don't remember if pwdHistory can contain a currently active password?
Otherwise it doesn't seem much of a problem.

But this reminds me - there are also back-config attributes which
contain passwords, in particular olcRootPW.  I'm not sure that is a
problem though.  Hopefully people are more careful with who is looking
when they are playing with cn=config, in particular if they have
plaintext passwords there.  And base64-encoding it could frustrate
people who _want_ to read it.  I don't know whether the best approach is
to base64 those attributes or leave them alone.

-- 
Regards,
Hallvard

References:
- ppolicy + slapcat = ldif vulnerability?
  - From: Scott Classen <SClassen@lbl.gov>

Prev by Date: Re: ppolicy + slapcat = ldif vulnerability?
Next by Date: RE: ppolicy + slapcat = ldif vulnerability?
Index(es):
- Chronological
- Thread