Webmeeting login with password containing special character '<' not possible



  • I am running the kopano docker stack from: https://github.com/zokradonh/kopano-docker
    @fbartels Thanks for your great work there enabling this docker stack!

    I have a user in the docker-compose deployed ldap with a password containing the < special character. The user can correctly login to all services connected to the ldap, including the kopano webapp. As soon as i want to login with this user in mykopano.domain.tld/meet, i get the following error form the kopano_konnect_1 service:

    level=error msg="identifier failed to logon with backend" error="kc identifier backend logon error: failed to read from unix socket: read unix @->/var/run/kopano/server.sock: i/o timeout"
    

    Resetting the password one without this special character, seems to be a workaround. Nevertheless, this might indicate to a problem of not proper escaping of the password, hinting on a potential security risk.

    best,
    Christian

    update
    Some additional version info of the used kopano stack from the central .env file:

    CORE_VERSION=8.7.81.88
    WEBAPP_VERSION=3.5.7.2298
    ZPUSH_VERSION=2.5.0
    KONNECT_VERSION=0.23.4
    KWM_VERSION=0.15.3
    MEET_VERSION=0.20.0_0
    KDAV_VERSION=latest
    

  • Kopano

    @cguenther said in Webmeeting login with password containing special character '<' not possible:

    Nevertheless, this might indicate to a problem of not proper escaping of the password, hinting on a potential security risk.

    If you think this is a security issue, then you should really think about responsible disclosure before posting messages on public forums ;-)

    I gave this a quick try by setting the password of the “user1” user to <test and was able to login, though.

    edit: retried with the version info you added to your update and see a soap failure in that case:

    kopano_konnect_1         | SOAP --- response 500 start ---
    kopano_konnect_1         | <?xml version="1.0" encoding="UTF-8"?>
    kopano_konnect_1         | <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:xmlmime="http://www.w3.org/2004/11/xmlmime" xmlns:ns="urn:zarafa"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>Error -2147221245</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
    kopano_konnect_1         |
    kopano_konnect_1         | SOAP --- response end  ---
    kopano_konnect_1         | SOAP --- response 500 start ---
    kopano_konnect_1         | <?xml version="1.0" encoding="UTF-8"?>
    kopano_konnect_1         | <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:xmlmime="http://www.w3.org/2004/11/xmlmime" xmlns:ns="urn:zarafa"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>Error -2147221245</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
    kopano_konnect_1         |
    kopano_konnect_1         | SOAP --- response end  ---
    kopano_konnect_1         | time="2019-06-07T09:01:06Z" level=error msg="identifier failed to logon with backend" error="kc identifier backend logon error: failed to read from unix socket: read unix @->/var/run/kopano/server.sock: i/o timeout"
    

    Will have a closer look, but I don’t think this is security relevant.



  • @fbartels said in Webmeeting login with password containing special character '<' not possible:

    If you think this is a security issue, then you should really think about responsible disclosure before posting messages on public forums ;-)

    Oh sorry, you are totally right. Is there a way to message you / kopano in a non-public way for such a case?

    Neverthless, like always:
    Thanks for the reproduction and fast feedback :)


  • Kopano

    @cguenther said in Webmeeting login with password containing special character '<' not possible:

    Is there a way to message you / kopano in a non-public way for such a case?

    Customers of ours can always get in contact with our support. Alternatively we are also always publishing the feedback at kopano dot io email in our announcements.

    If you think you have something critical and want to report privately you can also message security at kopano dot io to exchange keys for encrypting information.


  • Kopano

    @cguenther said in Webmeeting login with password containing special character '<' not possible:

    Resetting the password one without this special character, seems to be a workaround. Nevertheless, this might indicate to a problem of not proper escaping of the password

    Seems that i missed to merge one of my branches and then forgot about it. The underlaying issue is fixed in kcc-go 4.0.0 which will be part of the next Konnect release - both master branches have been updated accordingly.

    Thanks for reporting!