Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 24 Aug 2014 19:57:05 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: CVE-2014-5443: Seafile local horizontal privilege escalation
 vulnerability

Product: Seafile server for Linux
Vendor: Seafile Ltd. http://seafile.com/
Affected versions: 3.1.1, 3.0.4 and probably prior
Fixed in version: 3.1.2
Founder of this vulnerability: Kimmo Huoman
Vendor notification: 2014-08-05
Solution date: 2014-08-07
CVE reference: CVE-2014-5443

Description:

Local horizontal privilege escalation

Steps to reproduce:

1. Install seafile for user1 (using the defaults)
2. Start seafile for user1 (./seafile.sh start; ./seahub.start) [ to create
admin account ]
3. Install seafile for user2 (no need to change any of the defaults, this won't
be run at all)
4. Change user2 password with command-line tool (./reset-admin.sh)
5. Login to user1 installation as admin with the login information created in
previous step
6. Check user1 email address and change password for that account with CLI
7. Login to UI with new information and browse files...

Provided that the user hasn't logged out, he won't even notice the password
change. Files keep on syncing etc also. Also all the files removed from the
libraries (don't delete the library itself, just the files) are removed from the
synced clients.

The issue seems to be related to ccnet handling user accounts instead of Django,
which allows password changing through the daemon running (be default) at port
13418. If I change port in ccnet.conf to another, the client can't connect and
password can't be changed (before changing the ccnet.conf for other account to
correspond).

Changelog says:

Use unix domain socket in ccnet to listen for local connections. This isolates
the access to ccnet daemon for different users. Thanks to Kimmo Huoman and Henri
Salo for reporting this issue.

---
Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.