#47308 unintended information exposure when anonymous access is set to rootdse
Closed: wontfix None Opened 11 years ago by nkinder.

When nsslapd-allow-anonymous-access is set to "rootdse", I would expect DS to
return only rootDSE entry to anonymous user. But it returns any LDAP entry as
with enabled anonymous access if the search is done with scope set to BASE. ACIs still apply, so anonymous users would only be able to see data that is explicitly granted anonymous access by an ACI.

Steps to Reproduce:
1. Set nsslapd-allow-anonymous-access in cn=config to "rootdse"
2. Try to get an entry with scope=BASE as anonymous user

Actual results:
Entry is returned

Expected results:
Access is rejected.

This issue has been assigned CVE-2013-1897.

Bug description: The actual search base was not being checked
at all. There was a check for the search base when this feature
was initially implemented, but it was inadvertently removed when
changes were made to reduce the DN normalization throughout the
source tree (commit f639711).

Fix description: This patch adds the search base check back.

Reviewed by Rich, Noriko and Mark.

Pushed to master: commit 4b2d700
Pushed to 389-ds-base-1.3.0: commit b1feced
Pushed to 389-ds-base-1.2.11: commit 5a18c82

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone:

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/645

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.