#47308 unintended information exposure when anonymous access is set to rootdse

Created 3 years ago by nkinder
Modified 13 days ago

When nsslapd-allow-anonymous-access is set to "rootdse", I would expect DS to
return only rootDSE entry to anonymous user. But it returns any LDAP entry as
with enabled anonymous access if the search is done with scope set to BASE. ACIs still apply, so anonymous users would only be able to see data that is explicitly granted anonymous access by an ACI.

Steps to Reproduce:
1. Set nsslapd-allow-anonymous-access in cn=config to "rootdse"
2. Try to get an entry with scope=BASE as anonymous user

Actual results:
Entry is returned

Expected results:
Access is rejected.

This issue has been assigned CVE-2013-1897.

Bug description: The actual search base was not being checked
at all. There was a check for the search base when this feature
was initially implemented, but it was inadvertently removed when
changes were made to reduce the DN normalization throughout the
source tree (commit f639711).

Fix description: This patch adds the search base check back.

Reviewed by Rich, Noriko and Mark.

Pushed to master: commit 4b2d700
Pushed to 389-ds-base-1.3.0: commit b1feced
Pushed to 389-ds-base-1.2.11: commit 5a18c82

13 days ago

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.11.20

Login to comment on this ticket.

ack

IPA

Directory Server

defect

cancel