Rocket.Chat (JSON) accepting blank password field #11017
Comments
|
it's really ((((( |
xxxdebug
changed the title
|
It's very big problem. We are waiting the critical patch for all server version. |
|
@xxmoC I wasn't able to reproduce your issue. Can you please contact me at https://open.rocket.chat/direct/rodrigo.nascimento ? |
|
@rodrigok and @xxmoC i reproduce this problem with version 0.65.1 and 0.64.1 with AD users. We had to disaible our chat, because it's critical vulnerability. |
|
@VareliyK can we chat at https://open.rocket.chat/direct/rodrigo.nascimento too? Lets try to find the root cause. |
|
Glad its being looked into! thanks! :) |
|
@rodrigok Do you have any news for us ? |
|
@VareliyK If you are desperate you can use this patchy workaround. |
|
@fsdaniel Thank's. Does compilation require for the patch? |
|
@rodrigok when you commit this patch ?https://github.com/fsdaniel/Rocket.Chat/commit/82ba9cedef53c094e7664774f037554290550368 ? |
|
@VareliyK You don't need this patch, just enable your This is not a Rocket.Chat but, the LDAP (AD only) reply with bind as success but will fail on next requests saying that the bind was not done. I'll release an option (false by default) to allow empty passwords ASAP for our 3 latests versions |
|
@rodrigok It's correct settings ? |
|
@rodrigok Thank's! It works, if Login Fallback false. But i still can login with empty password, if Login Fallback - true :( |
|
@VareliyK Yes, it will work since the login fallback will store the informed password in Rocket.Chat user's record and will use it if the login on LDAP fails, so if the empty login was working before and you had the login fallback enabled it stored the empty passwords for the users that did login on that time, then, even if the LDAP blocks the login the fallback will be executed and the password will match (empty === empty) |
|
The fallback login should be user only if you have some users that should authenticate against the internal account system cuz they are not in your LDAP system. Or if you LDAP server have recurrent outages. |
|
@rodrigok i have two questions:
|
|
@rodrigok any update on when the new version will be released? |
|
@rodrigok reminder |
Description:
We use RocketChat with our AD servers for LDAP authentication. But we experience some strange behaviour on iOS devices as our users can authenticate without giving a password (read: empty field).
As far as we can see the Android, Windows and webclient do work as expected, seems like the iOS device has no check whether the authentication is correct. This is already investigated by the iOS team of RocketChat seems the API is not validation credentials and just allow anoymous access on the server side.
We have got anonymous binding only open for RootDSE in AD as designed and adviced by Microsoft (microsoft.png). When connecting to the OU where our AD users are in authentication is not possible with anonymous binding.
Server Setup Information:
Steps to Reproduce:
Expected behavior:
I would expect the system to give an error that the users haven't entered their passwords and cannot login
Actual behavior:
The user is logged in on an iOS device, without entering a password
Relevant logs:
When I try to reproduce the LDAP query with my serviceaccount in AD (ldapsearch) and try to search and/or bind the user I cannot bind or search without entering a password in the particular OU, it is only accepting anonymous bindings on RootDSE. Probably the the iOS client is not checking this or whatsoever.
Also see ldapsearch1.png & ldapsearch2.png
Also when trying to validate to JSON it's giving access without password:
curl -X POST "https://rocketchat.domain.com/api/v1/login" -H "Content-Type: application/json" -d '{"ldapPass": "", "ldapOptions": [], "ldap": true, "username": "firstname.lastname@domain.com"}' {"status":"success","data":{"userId":"zRhXFE7yMcttZq7Ky","authToken":"pewwsqX11BO66WEfFPglDJvvViIi8fwjNbYDcclPfT_"}}The text was updated successfully, but these errors were encountered: