[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy + slapcat = ldif vulnerability?

Scott Classen writes:
> I'm not sure if this is truly a vulnerability, but I thought I'd put
> it out there for discussion.
> (...)
> When I back up the bdb database via slapcat -l backup.ldif the
> userPassword field looks to be Base64 hashed.
> (...)
> but the passwd history leaves the passwd hashes visible.

If you can get at the base64 representation, you can also base64-decode
it.  However if a userPassword contains a plaintext password and is not
base64-encoded, you can then accidentally display the password for
others to see.  I think that's why userPassword is displayed in base64.

I don't remember if pwdHistory can contain a currently active password?
Otherwise it doesn't seem much of a problem.

But this reminds me - there are also back-config attributes which
contain passwords, in particular olcRootPW.  I'm not sure that is a
problem though.  Hopefully people are more careful with who is looking
when they are playing with cn=config, in particular if they have
plaintext passwords there.  And base64-encoding it could frustrate
people who _want_ to read it.  I don't know whether the best approach is
to base64 those attributes or leave them alone.