Bug: Autologin with any Token at display poller

[itsul]

---

BUG REPORT INFORMATION

Centreon/OS Information:
OS: CES Image
rpm -qa | grep centreon
centreon-syslog-server-1.2.5-6.el6.noarch
centreon-common-2.7.6-4.el6.noarch
centreon-base-config-centreon-engine-2.7.6-4.el6.noarch
centreon-widget-service-monitoring-1.4.2-1.el6.noarch
centreon-clib-1.4.2-1.el6.x86_64
centreon-widget-hostgroup-monitoring-1.3.0-4.el6.noarch
centreon-connector-1.1.2-1.el6.x86_64
centreon-perl-libs-2.7.6-4.el6.noarch
centreon-web-2.7.6-4.el6.noarch
centreon-engine-daemon-1.5.1-3.el6.x86_64
centreon-engine-1.5.1-3.el6.x86_64
centreon-widget-httploader-1.0.0-2.el6.noarch
centreon-poller-display-1.5.2-2.el6.noarch
centreon-widget-live-top10-cpu-usage-1.0.0-7.el6.noarch
centreon-widget-grid-map-1.0.0-8.el6.noarch
centreon-widget-engine-status-1.0.1-5.el6.noarch
centreon-broker-storage-2.11.5-2.el6.x86_64
centreon-broker-cbd-2.11.5-2.el6.x86_64
centreon-plugins-2.7.6-4.el6.noarch
centreon-trap-2.7.6-4.el6.noarch
centreon-2.7.6-4.el6.noarch
centreon-connector-perl-1.1.2-1.el6.x86_64
centreon-engine-extcommands-1.5.1-3.el6.x86_64
centreon-widget-tactical-overview-1.0.1-2.el6.noarch
centreon-broker-core-2.11.5-2.el6.x86_64
centreon-broker-cbmod-2.11.5-2.el6.x86_64
centreon-widget-servicegroup-monitoring-1.3.1-1.el6.noarch
centreon-widget-live-top10-memory-usage-1.0.2-1.el6.noarch
centreon-syslog-frontend-1.5.3-5.el6.el6.noarch
centreon-connector-ssh-1.1.2-1.el6.x86_64
centreon-plugin-meta-2.7.6-4.el6.noarch
centreon-widget-host-monitoring-1.4.2-1.el6.noarch
centreon-broker-2.11.5-2.el6.x86_64
centreon-widget-graph-monitoring-1.3.0-3.el6.noarch

Steps to reproduce the issue:

1. Create a user on the satellit-poller (configured as display poller) with a autologin key
2. http://centreon/centreon/main.php?p=1&autologin=1&useralias=%myuser%&token=%anytoken%
3. Any token is valid for a login (except an empty token-GET Parameter an empty token in the user config valid)

User config has no autologin key set so there are two cases:
http://centreon/centreon/main.php?p=1&autologin=1&useralias=%myuser%&token= => not valid
http://centreon/centreon/main.php?p=1&autologin=1&useralias=%myuser%&token=123 => valid/logged in

Describe the results you received:
User is logged in with any token

Describe the results you expected:
User should be logged in only with the correct token

Additional information you think important (e.g. issue happens only occasionally):
This bug is only on the display poller, on the central the function is working as expected. We already tried to delete the user and create a new one. If there is not any token set to a user, you can also login with any token!

[lpinsivy]

HE

I can't reproduce this issue on Centreon Web 2.8.0 and we didn't change mechanism since Centreon Web 2.7.6.

Can you export me the content of centreon.contact table for your contact ?

Regards,

[itsul]

Hi,

Data from database:
INSERT INTO contact (contact_id, timeperiod_tp_id, timeperiod_tp_id2, contact_name, contact_alias, contact_passwd, contact_lang, contact_host_notification_options, contact_service_notification_options, contact_email, contact_pager, contact_address1, contact_address2, contact_address3, contact_address4, contact_address5, contact_address6, contact_comment, contact_js_effects, contact_location, contact_oreon, contact_enable_notifications, contact_template_id, contact_admin, contact_type_msg, contact_activate, contact_auth_type, contact_ldap_dn, ar_id, contact_acl_group_list, contact_autologin_key, contact_charset, contact_register) VALUES
(41, NULL, NULL, 'User_for_downtime_skript', 'DowntimeSkript', NULL, 'browser', 'n', 'n', '-', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, '0', NULL, '1', '0', NULL, '0', NULL, '1', 'local', NULL, NULL, NULL, NULL, NULL, 1);

The problem is the password value. If there is no password set (VALUE=NULL) you can login with every (none empty) token. If you set the password and try to login with a wrong token it is no longer possible.

I think there is something wrong with your validation.

Regards

[julienmathis]

Hello,

Can we also have a screen shot of this page Administration > Parameters > Centreon UI (part Authentication properties)

Thanks

[itsul]

Hi Julien,

of course. Find it bellow.

[lpinsivy]

Hi,

I can reproduce your issue. It's because password is NULL for your contact.
We will correct it.

[itsul]

Hi @lpinsivy ,

unfortunately your last security update has not solved the bug completely. If i look at ref centreon/centreon@3735461?diff=split which is linked from you, there is only the "!empty" added.

The problem is: every token is valid for login.

Furthermore i think you should add the fix to the other sections/auth. methods such as local users (at the moment the "fix" is only made at ldap auth.)

[kduret]

Hi @itsul ,

This fix has been done for local usersand fix the problem for every token.

Did you try to reproduce your security issue with this patch ?
If yes, can you give us a procedure to reproduce it ?

Thanks

[itsul]

Hi @kduret ,

i tried your fix without success. If you want, we can make a webex session to collect all necessary information. This worked well in the past.

Laurent should have the contact data of us, i do not want to publish it here.

Regards

[kduret]

Hi @itsul ,
Does the problem still exist ?

If yes, I can contact you tomorrow to solve it.

Regards

[itsul]

Hi @kduret ,

we will review the latest version and test if the bug is still present.

Regards

[kduret]

Ok thanks @itsul !

I wait your feedback.

Regards

[itsul]

You can close the issue as solved. Tested it with 2.8.3 centreon and could not login as expected.

[kduret]

thanks for your feedback !