WebApp allowing login with any password!

One of our users just found an interesting issue. They can log into the WebApp with any password. Put in any valid username and ‘jdhfjkasdhkjfhasdk’ (or whatever you want) into the password field, and it will log you into that user’s mailbox. I just updated to the latest stable version of the server and webapp, in case it was a previous bug, and the issue is still there. I’m not sure when it was introduced, as this server is used almost exclusively with ActiveSync.

This is what I saw in the server.log:

LDAP (simple) bind on uid=burgessja,dc=domain,dc=com failed: Invalid credentials
Sun Dec  2 14:54:33 2018: [warning] Authentication by plugin failed for user "burgessja": Trying to authenticate failed: Failure connecting any of the LDAP servers; username = burgessja

So far, I have tested logging in with z-push/ActiveSync, and those do require valid passwords. phpLdapAdmin and openLDAP also require valid passwords, so it doesn’t seem to be an issue with the back end.

I have another Kopano server running, but it is using FreeIPA as the backend, and does not seem to have this issue. I’m not sure where to start with this problem, as I thought the kopano-server process handled LDAP authentication, and the WebApp used it for verification.

hi @burgessja,
I cant confirm this issue. Which version of Kopano and which ldap user are you on?

hi @burgessja -

Do you have anything set for ‘local_admin_users’ in /etc/kopano/server.cfg, and is your web server running as one of those users?

Hi, we have several kopano instances running in various versions, ranging from 8.0 to the latest, both on SLES and UCS, and I can’t recreate this.
You sure that your authentication system is working properly?
Best Regards
W.

I swear I posted a reply to this already, must have posted it on the wrong topic, my apologies…

Anyway, I did solve the issue, but i’m still not sure what caused it. Replacing the webapp config.php file with a fresh, unmodified one from the Apt repo solved the problem. I have always instructed Apt to keep the version of my config.php file installed on the server, rather than replacing it with a new one during Apt updates.

I am guessing that my outdated config.php file was either missing a new parameter that had been added, or possibly had a typo in it that caused strange results? I do not know what version I was using, but the original install was done in January 2018, and it was last updated in July (but still using the config.php file from January). I also tried updating the entire Kopano suite to the newest version, and that did not work until I replaced the config.php file.

The authentication system seemed to be working properly, as the issue did not occur with activesync/Z-Push clients (Outlook 2016 and the native Android mail client)