[Date Prev][Date Next]
Re: ppolicy + slapcat = ldif vulnerability?
Scott Classen writes:
> I'm not sure if this is truly a vulnerability, but I thought I'd put
> it out there for discussion.
> When I back up the bdb database via slapcat -l backup.ldif the
> userPassword field looks to be Base64 hashed.
> but the passwd history leaves the passwd hashes visible.
If you can get at the base64 representation, you can also base64-decode
it. However if a userPassword contains a plaintext password and is not
base64-encoded, you can then accidentally display the password for
others to see. I think that's why userPassword is displayed in base64.
I don't remember if pwdHistory can contain a currently active password?
Otherwise it doesn't seem much of a problem.
But this reminds me - there are also back-config attributes which
contain passwords, in particular olcRootPW. I'm not sure that is a
problem though. Hopefully people are more careful with who is looking
when they are playing with cn=config, in particular if they have
plaintext passwords there. And base64-encoding it could frustrate
people who _want_ to read it. I don't know whether the best approach is
to base64 those attributes or leave them alone.