WebApp allowing login with any password!



  • One of our users just found an interesting issue. They can log into the WebApp with any password. Put in any valid username and ‘jdhfjkasdhkjfhasdk’ (or whatever you want) into the password field, and it will log you into that user’s mailbox. I just updated to the latest stable version of the server and webapp, in case it was a previous bug, and the issue is still there. I’m not sure when it was introduced, as this server is used almost exclusively with ActiveSync.

    This is what I saw in the server.log:

    LDAP (simple) bind on uid=burgessja,dc=domain,dc=com failed: Invalid credentials
    Sun Dec  2 14:54:33 2018: [warning] Authentication by plugin failed for user "burgessja": Trying to authenticate failed: Failure connecting any of the LDAP servers; username = burgessja
    
    

    So far, I have tested logging in with z-push/ActiveSync, and those do require valid passwords. phpLdapAdmin and openLDAP also require valid passwords, so it doesn’t seem to be an issue with the back end.

    I have another Kopano server running, but it is using FreeIPA as the backend, and does not seem to have this issue. I’m not sure where to start with this problem, as I thought the kopano-server process handled LDAP authentication, and the WebApp used it for verification.



  • hi @burgessja,
    I cant confirm this issue. Which version of Kopano and which ldap user are you on?


  • Kopano

    hi @burgessja -

    Do you have anything set for ‘local_admin_users’ in /etc/kopano/server.cfg, and is your web server running as one of those users?



  • Hi, we have several kopano instances running in various versions, ranging from 8.0 to the latest, both on SLES and UCS, and I can’t recreate this.
    You sure that your authentication system is working properly?
    Best Regards
    W.



  • I swear I posted a reply to this already, must have posted it on the wrong topic, my apologies…

    Anyway, I did solve the issue, but i’m still not sure what caused it. Replacing the webapp config.php file with a fresh, unmodified one from the Apt repo solved the problem. I have always instructed Apt to keep the version of my config.php file installed on the server, rather than replacing it with a new one during Apt updates.

    I am guessing that my outdated config.php file was either missing a new parameter that had been added, or possibly had a typo in it that caused strange results? I do not know what version I was using, but the original install was done in January 2018, and it was last updated in July (but still using the config.php file from January). I also tried updating the entire Kopano suite to the newest version, and that did not work until I replaced the config.php file.

    The authentication system seemed to be working properly, as the issue did not occur with activesync/Z-Push clients (Outlook 2016 and the native Android mail client)



  • Hi,

    I was experiencing the same.
    What caused the login problem was the following setting in /etc/kopano/webapp/config.php:

        if(version_compare(phpversion('mapi'), '7.2.2', '>=')) {
              define("DEFAULT_SERVER", "default:");
        } else {
               define("DEFAULT_SERVER","file:///var/run/kopano/server.sock");
        }
    

    Changing it to

    define("DEFAULT_SERVER","http://localhost:236/kopano");
    

    solved the problem.

    I’m running the following versions on Debian 9:
    kopano-webapp 3.5.1.2075+1143.1
    kopano-server 8.7.80.355

    This might be a old configuration from Zarafa 7.2.x.

    Thanks
    Stefan


  • Kopano

    Hi @stef-jakobs,

    while this cures the symptons the source of your problem is what @bhuisman already said: your webserver process is running as local admin, which ultimately means that every login is treated as coming from an admin (does not check password).

    The default socket means he is using the Unix socket (because it’s faster than going through TCP) which means the user of the webserver matters.


Log in to reply