Description
When using auth = [ldap_login, moin_cookie] to perform ldap authentication, the password hash is stored in the filesystem. In the event of a server compromise, a cracking program could be used to obtain users' ldap passwords.
Steps to reproduce
- Configure ldap authentication with 'auth = [ldap_login, moin_cookie]' in wikiconfig.py
- Log in as an ldap authenticated user
- Check the file created in data/user/; note 'enc_password={SHA}...'
Example
n/a
Details
MoinMoin Version |
1.5.4 |
OS and Version |
Fedora Core 5 |
Python Version |
2.4.3-8.FC5 |
Server Setup |
Apache/CGI |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
English |
Workaround
Discussion
Plan
- Priority: High, this is a security problem.
- Assigned to:
- Status: fixed in 1.6:
- moin_cookie will go away in 1.6 and get replaced by moin_login and moin_session.
- so for pure ldap logins, you will use auth = [ldap_login, moin_session]
- ldap_login will check if there is some user/password in the current form (e.g. if user has used action=login), extracts those values, checks against ldap and creates a user object in memory if this is the case (it will also store a user profile to disk if you have autocreate, but it will not store the password hash)
- moin_session will either take that memory user object and set a cookie for it or will use an existing cookie to make up a user object with it