ikiwiki openid + passwordauth empty password security hole

Debian Bug report logs - #483770
ikiwiki openid + passwordauth empty password security hole

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ikiwiki openid + passwordauth empty password security hole

Date: Fri, 30 May 2008 18:10:17 -0400

[Message part 1 (text/plain, inline)]

Package: ikiwiki
Version: 1.34
Severity: grave
Tags: security patch

I'm unhappy to report a nasty security hole in ikiwiki. If both openid
and passwordauth plugins are enabled (the default configuration), anyone
can log in as any openid that has previously logged into the wiki and
does not have a password set.

The worst possible impact would be if the wiki admin were configured to
be an openid. Then anyone could log in as the admin and lock pages/ban
users/trash the wiki.


The good news: This does not affect debian stable; the first ikiwiki affected
is 1.34, which is when openid support was added.

Debian testing security team: Could you please get a CVE for this issue?
I'll handle the high-urgency upload to unstable.

Ubuntu security team: Looks like all versions of ikiwiki in all ubuntu
releases except edgy are vulnerable.

Brix: Could you inform the appropriate security people in FreeBSD and
get a fix into there?

Martin: Can you update backports?


The following is a minimal patch against ikiwiki version 1.34 to fix
the issue, should also apply ok to later versions.

diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 1aac17a..0e20055 100644
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -63,6 +63,7 @@ sub formbuilder_setup (@) { #{{{
 					name => "password",
 					validate => sub {
 						length $form->field("name") &&
+						length $_[0] &&
 						shift eq IkiWiki::userinfo_get($form->field("name"), 'password');
 					},
 				);

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 483770-close@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: 483770-close@bugs.debian.org

Subject: Bug#483770: fixed in ikiwiki 2.48

Date: Fri, 30 May 2008 22:32:05 +0000

Source: ikiwiki
Source-Version: 2.48

We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive:

ikiwiki_2.48.dsc
  to pool/main/i/ikiwiki/ikiwiki_2.48.dsc
ikiwiki_2.48.tar.gz
  to pool/main/i/ikiwiki/ikiwiki_2.48.tar.gz
ikiwiki_2.48_all.deb
  to pool/main/i/ikiwiki/ikiwiki_2.48_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 483770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated ikiwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 30 May 2008 17:36:07 -0400
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 2.48
Distribution: unstable
Urgency: high
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description: 
 ikiwiki    - a wiki compiler
Closes: 478530 483770
Changes: 
 ikiwiki (2.48) unstable; urgency=high
 .
   * Fix security hole that occurred if openid and passwordauth were both
     enabled. passwordauth would allow logging in as a known openid, with an
     empty password. Closes: #483770
   * Add rel=nofollow to edit links. This may prevent some spiders from
     pounding on the cgi following edit links.
   * passwordauth: If Authen::Passphrase is installed, use it to store
     password hashes, crypted with Eksblowfish.
   * `ikiwiki-transiition hashpassword /path/to/srcdir` can be used to
     hash existing plaintext passwords.
   * Passwords will no longer be mailed, but instead a password reset link.
   * The password_cost config setting is provided as a "more security" knob.
   * teximg: Fix logurl.
   * teximg: If the log isn't written, avoid ugly error messages.
   * Updated French translation. Closes: #478530
Checksums-Sha1: 
 3928af5fb39f69bcf329c2370ac59bff88a71d3d 1087 ikiwiki_2.48.dsc
 dcca59d164f7cafb9e638a02df04c1f6bd967e42 729477 ikiwiki_2.48.tar.gz
 46e63f83022691d673ad3392d0ba8cc59d6af35c 862284 ikiwiki_2.48_all.deb
Checksums-Sha256: 
 30a257ef53fa8fb5696e9465e7fb3f1973ebdffda5fa501841bd06ae3d83b0e4 1087 ikiwiki_2.48.dsc
 5c728a3d175f28e80fde4049c1f93b6805f79f5caaa00cb6a2279f2723bef778 729477 ikiwiki_2.48.tar.gz
 c15c1406da66f906007ee9283a82586fc5b4d1590a3316296354bad512771d95 862284 ikiwiki_2.48_all.deb
Files: 
 778a34149481186800d79c3d8e92b8d2 1087 web optional ikiwiki_2.48.dsc
 6b293f6e8a08578533d0268b25dae5b3 729477 web optional ikiwiki_2.48.tar.gz
 f5b97d3b7ea1ff3f7be502af3c97c338 862284 web optional ikiwiki_2.48_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIQH3m2tp5zXiKP0wRAvotAKCkhHPSwZf9tXouceTXE5fWmIZdWACgpDzN
zmoLfbN607pX4ikMfMQQcKY=
=8ypr
-----END PGP SIGNATURE-----

Message #15 received at 483770@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 483770@bugs.debian.org

Subject: Re: Bug#483770: ikiwiki openid + passwordauth empty password security hole

Date: Sat, 31 May 2008 02:55:05 +0200

[Message part 1 (text/plain, inline)]

Hi Joey,
* Joey Hess <joeyh@debian.org> [2008-05-31 00:22]:
[...] 
> I'm unhappy to report a nasty security hole in ikiwiki. If both openid
> and passwordauth plugins are enabled (the default configuration), anyone
> can log in as any openid that has previously logged into the wiki and
> does not have a password set.

Ouch :/

[...] 
> Debian testing security team: Could you please get a CVE for this issue?

Done, I'll update this bug report as soon as I got one.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 483770@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 483770@bugs.debian.org

Subject: CVE id for ikiwiki

Date: Sun, 1 Jun 2008 01:30:21 +0200

[Message part 1 (text/plain, inline)]

Hi Joey,
please use CVE-2008-0169 as CVE id.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.