Patches for GOsa

Theral Mackey tmackey at evernote.com
Tue Jul 10 01:03:32 BST 2018


Hi, I have a few patches for Gosa I feel could/should be incorporated
to the debian pkg (and upstream, if thats still alive?). If possible,
could I get PR access to the project on salsa to submit these?
(username currently tmack0-guest)

We here at Evernote have been using these (along with a few custom
mods for stuff like TOTP integration) for a number of years now:

1. base64() encode passwords sent to shell via hook calls
2. add support for CRYPT sha256 and sha512 passwords

The second one above I can't take full credit for, I think I pieced it
together from forum posts if not out-right copy/pasta, but allows
using more secure hashing functions available in openldap.

The first we implemented because the escapeshellarg code used in Gosa
seemed to be applied inconsistently, causing breakage if certain
characters were used, and lead to our sec team being able to use it
for RCE. Passing through base64() encoded values bypasses this much
the same way the other patches for NTLM/perl stuff did (0006, 0007 and
1004). Its likely all variables in hooks could be exploited this way
tbh, passwords are just the quickest way to notice due to the charsets
involved.

Related to which, another patch I am putting together now from our
code, moves the NTLM/LM hashing to native php, removing that
shell/perl call all together. (we eventually stripped out LM
completely as we have no use for it, and NTLM is all of 3 lines).

Thanks for your time!
-Theral Mackey



More information about the Debian-edu-pkg-team mailing list