Potential Bug In Nagios XI Ldap Auth Component

[ssmiller_gfs]

We recently ran across an issue where blank passwords were always being accepted for authentication credentials when LDAP was enabled with the LDAP Authentication component at http://exchange.nagios.org/directory/Ad ... nt/details After some digging we found that PHP interpretes a blank password as an LDAP anonymous bind request. Although our server will not let a user query any information with an anonymous bind, it will let the connection succeed. In order to quickly fix this, I patched the ldapauth.inc.php component to add a new configuration option to Allow Blank Passwords. This will allow the module itself to reject logins on blank passwords. There might be a more graceful way to perform this check, but this was the easiest path to lock down the vulnerability from our end.

Below is a patch file to add the additional check for blank passwords. Is there a better way to submit this patch other then the forum?

Code: Select all

--- /root/ldapauth/ldapauth/ldapauth.inc.php    2012-10-30 15:15:06.000000000 -0400
+++ ldapauth.inc.php    2013-09-18 09:52:09.207890517 -0400
@@ -92,6 +92,7 @@
                        $ldap_port=grab_array_var($settings,"ldap_port","389");
                        $base_dn=grab_array_var($settings,"base_dn","dc=acme,dc=com");
                        $user_dn=grab_array_var($settings,"user_dn","cn=[USERNAME],cn=users,dc=acme,dc=com");
+                       $allowblankpw=grab_array_var($settings,"allowblankpw","0");
                        $enabled=grab_array_var($settings,"enabled","");

                        // values passed to us
@@ -99,6 +100,7 @@
                        $ldap_port=grab_array_var($inargs,"ldap_port",$ldap_port);
                        $base_dn=grab_array_var($inargs,"base_dn",$base_dn);
                        $user_dn=grab_array_var($inargs,"user_dn",$user_dn);
+                       $allowblankpw=grab_array_var($inargs,"allowblankpw",$allowblankpw);
                        $enabled=checkbox_binary(grab_array_var($inargs,"enabled",$enabled));

                        $component_url=get_component_url_base($component_name);
@@ -122,6 +124,17 @@

        <tr>
        <td valign="top">
+       <label for="enabled">'.gettext('Allow Blank Passwords').':</label><br class="nobr" />
+       </td>
+       <td>
+       <input type="checkbox" class="checkbox" id="allowblankpw" name="allowblankpw" '.is_checked($allowblankpw,1).'>
+<br class="nobr" />
+       '.gettext('Allow Blank Passwords').'.<br><br>
+       </td>
+       </tr>
+
+       <tr>
+       <td valign="top">
        <label>'.gettext('LDAP Host').':</label><br class="nobr" />
        </td>
        <td>
@@ -173,6 +186,7 @@
                        $base_dn=grab_array_var($inargs,"base_dn","");
                        $user_dn=grab_array_var($inargs,"user_dn","");
                        $enabled=checkbox_binary(grab_array_var($inargs,"enabled",""));
+                       $allowblankpw=checkbox_binary(grab_array_var($inargs,"allowblankpw",""));

                        // validate variables
                        $errors=0;
@@ -211,6 +225,7 @@
                                "ldap_port" => $ldap_port,
                                "base_dn" => $base_dn,
                                "user_dn" => $user_dn,
+                               "allowblankpw" => $allowblankpw,

                        // validate variables
                        $errors=0;
@@ -211,6 +225,7 @@
                                "ldap_port" => $ldap_port,
                                "base_dn" => $base_dn,
                                "user_dn" => $user_dn,
+                               "allowblankpw" => $allowblankpw,
                                "enabled" => $enabled,
                                );
                        set_option("ldapauth_component_options",serialize($settings));
@@ -249,6 +264,7 @@
        $base_dn=grab_array_var($settings,"base_dn");
        $user_dn=grab_array_var($settings,"user_dn");
        $enabled=grab_array_var($settings,"enabled");
+        $allowblankpw=grab_array_var($settings,"allowblankpw");

        // bail out if we're not enabled...
        if($enabled!=1){
@@ -257,6 +273,14 @@
                }

        //putenv('LDAPTLS_REQCERT=never')   //allows connection to SSL LDAP server, fixes certificate issue
+
+
+        //Check on blank passwords.  LDAP interprets blank passwords as anonymous binds.  If a server
+        //  allows anonymous binds, then authentication would always be allowed, unless this check is in place.
+        if($allowblankpw==0 && empty($password)) {
+               $cbargs["info_messages"][]="Blank Passwored Entered.";
+                return;
+        }

        // connect to the LDAP server
        if(!($ds=ldap_connect($ldap_host,$ldap_port))){
@@ -271,6 +295,7 @@

        // construct the dn
        $dn=str_replace("[USERNAME]",$username,$user_dn);
+

        // try binding with the username and password
        if(($bind=ldap_bind($ds,$dn,$password))){
@@ -293,4 +318,4 @@
        }


-?>
\ No newline at end of file
+?>

[abrist]

The best way is to submit the patch through a bug report on: http://tracker.nagios.com
I will let our ldap guy know as well, but a bug report would be nice.

[ssmiller_gfs]

Thanks. Bug report 442 has been submitted with the information above.

[abrist]

Great. I linked this thread to our ldap component dev. As the conference is around the corner I know not when this will get addressed, but it will be.

[ssmiller_gfs]

Thanks again! Please let me know if I can offer any assistance.

Steve

[abrist]

Will do.