[ome-devel] [Fwd: Re: OMERO-Matlab: security bug]

Sebastien Besson seb.besson at googlemail.com
Tue Jan 24 16:37:20 GMT 2012 

Hi Josh,

to complement Jay's answer, when trying to log in using a fake password,
I get successfully denied from Matlab and Insight. I can only create
sessions using an empty string or my true password under Matlab-OMERO.

Sebastien

On Tue, 2012-01-24 at 11:20 -0500, Jay Copeland wrote:
> Hello Josh,
> 
> 
> Sebastien's account is an LDAP account and the LDAP plugin is enabled.
> Can you provide me with the right code snippet to examine the password
> table you referred to?
> 
> 
> Thanks.
> 
> 
> Jay
> 
> On Tue, Jan 24, 2012 at 10:53 AM, Sebastien Besson
> <seb.besson at googlemail.com> wrote:
>         Hi Jay,
>         
>         do you know about the admin questions of Josh?
>         Can we try to modify my password so that we test this bug?
>         
>         Sebastien
>         
>         -------- Forwarded Message --------
>         From: Josh Moore <josh at glencoesoftware.com>
>         To: seb.besson at gmail.com
>         Cc: ome-devel at lists.openmicroscopy.org.uk
>         Subject: Re: [ome-devel] OMERO-Matlab: security bug
>         Date: Mon, 23 Jan 2012 20:45:40 +0100
>         
>         On Jan 23, 2012, at 8:30 PM, Sebastien Besson wrote:
>         
>         > Hi everyone,
>         
>         Hi Sebastien,
>         
>         > Using Matlab 2011a and OMERO.matlab-4.3.3 under Ubuntu
>         10.04, I ran into
>         > a serious security issue while connecting to my OME server:
>         I do not
>         > need to provide a valid password to access my data on the
>         server.
>         > Below are the commands, i use under Matlab
>         >
>         > % Create client and session
>         > client = omero.client('lincs-omero.hms.harvard.edu', 4064);
>         > session = client.createSession('sb286', '');
>         >
>         > % Load datasets
>         > param = omero.sys.ParametersI();
>         > param.leaves();%indicate to load the images
>         > proxy=session.getContainerService();
>         > datasetsList =
>         proxy.loadContainerHierarchy('omero.model.Dataset', [],
>         > param);
>         >
>         > Sessions with an invalid username return an empty
>         datasetsList. I tried
>         > with another valid user of this server and I could access
>         the data.
>         
>         Can you confirm that there is an entry in the 'password' table
>         for each of the users you logged in as. The primary key is the
>         column experimenter_id column. My guess is that there is an
>         entry, but under 'hash' there's an empty string. In this case,
>         one can in fact login in with any password. Can you login from
>         insight using a fake password? If you change your password in
>         insight, the command-line or the API, can you still login with
>         the empty password?
>         
>         A few other questions: How did your user get created? (via
>         LDAP?) Is the LDAP plugin still activated?
>         
>         Thanks for helping us to track this down!
>         
>         > I tried to duplicate this bug using OMERO insight and I got
>         successfully
>         > rejected when trying to login without my password.
>         
>         NB: Insight requires a password even in cases where the server
>         does not.
>         
>         > Best,
>         > Sebastien
>         
>         Cheers,
>         ~Josh.
>         
>         
> 
> 
> 
> 
> -- 
> Jay Copeland
> Research Technology Coordinator
> Department of Systems Biology - Havard Medical School
> 200 Longwood Ave., WAB 438
> Boston, MA 02115
> 978-501-0325
> 
>

More information about the ome-devel mailing list