Page MenuHomePhabricator

Store LDAP domain as credential source for LDAP external accounts
Closed, WontfixPublic


There's an administrator privilege escalation possible with LDAP now:

  1. Point the LDAP adapter at a new server you control.
  2. Create all the user accounts with password "asdf".
  3. Escalate from an administrator account to any account with LDAP.

This isn't normally possible because external account domains store the server identity, but for LDAP they're all still "self". T887 will fix this, but this is a special case with security implications (the other cases do not have those implications).

Event Timeline

epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Auth.
epriestley added a subscriber: epriestley.

This escalation requires control of DNS/networking or something to point phabricator at the new LDAP server, correct?

No -- you point Phabricator at the new LDAP server by using a compromised administrative account and going to AuthLDAP and changing to

This phrasing was unclear:

administrator privilege escalation

I mean "if you compromise an administrator account, you can escalate from that to any other account", not "you can escalate to administrative privileges from [some lesser set of privileges]".

escalate from that to any other account

To be precise, any other account which already has an associated link with an external LDAP account.

epriestley claimed this task.

I think we're going to fix this with T7667 instead. Binding to a particular domain creates headaches if you actually move the LDAP server, and unlocked authentication creates a lot of other problems that we can't address in a similar way.