Page MenuHomePhabricator

Store LDAP domain as credential source for LDAP external accounts
Closed, WontfixPublic


There's an administrator privilege escalation possible with LDAP now:

  1. Point the LDAP adapter at a new server you control.
  2. Create all the user accounts with password "asdf".
  3. Escalate from an administrator account to any account with LDAP.

This isn't normally possible because external account domains store the server identity, but for LDAP they're all still "self". T887 will fix this, but this is a special case with security implications (the other cases do not have those implications).

Event Timeline

epriestley updated the task description. (Show Details)Nov 19 2013, 12:46 PM
epriestley added projects: Security, Auth.
epriestley added a subscriber: epriestley.
epriestley created this task.
epriestley raised the priority of this task from to Low.
eadler added a subscriber: eadler.Apr 28 2015, 3:52 AM

This escalation requires control of DNS/networking or something to point phabricator at the new LDAP server, correct?

No -- you point Phabricator at the new LDAP server by using a compromised administrative account and going to AuthLDAP and changing to

This phrasing was unclear:

administrator privilege escalation

I mean "if you compromise an administrator account, you can escalate from that to any other account", not "you can escalate to administrative privileges from [some lesser set of privileges]".

escalate from that to any other account

To be precise, any other account which already has an associated link with an external LDAP account.

epriestley moved this task from Backlog to Next on the Auth board.Dec 12 2018, 8:24 PM
epriestley closed this task as Wontfix.Dec 12 2018, 8:25 PM
epriestley claimed this task.

I think we're going to fix this with T7667 instead. Binding to a particular domain creates headaches if you actually move the LDAP server, and unlocked authentication creates a lot of other problems that we can't address in a similar way.