
<div dir="ltr">Hello Chris,<div><br></div><div>We're using the old auth. schema:</div><div><span style>omero.security.password_</span><span style>provider=</span><span style>chainedPasswordProvider431</span> </div><div>


<br></div><div>And I've tested it and couldn't login using empty string ""</div><div><br></div><div>Do you know if "<span style>chainedPasswordProvider431"</span> affected by this security vulnerability?</div>


<div><div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse;color:rgb(80,0,80)"><div><br></div><div>Cheers,</div><div>Leon Kolchinsky</div></span></div><br>

<br><br><div class="gmail_quote">On Wed, Jan 25, 2012 at 07:18, Chris Allan <span dir="ltr"><<a href="mailto:callan@lifesci.dundee.ac.uk">callan@lifesci.dundee.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Synopsis<br>

========<br>

<br>

An LDAP authentication vulnerability has been found in OMERO.server.<br>

<br>

Background<br>

==========<br>

<br>

When OMERO.server has LDAP authentication enabled and the LDAP server allows<br>

anonymous binds the use of an empty ("") password via the OMERO.server API<br>

permits logging in as any LDAP-based user.<br>

<br>

Affected packages<br>

=================<br>

<br>

-------------------------------------------------------------------<br>

Package / Vulnerable / Unaffected<br>

-------------------------------------------------------------------<br>

OMERO.server < 4.3.4<br>

<br>

Impact<br>

======<br>

<br>

A remote attacker could possibly login to accounts he/she is not permitted<br>

to access via the OMERO.server API.  Logins via OMERO.insight or OMERO.web<br>

are not affected.<br>

<br>

Workaround<br>

==========<br>

<br>

Disable LDAP authentication.<br>

<br>

Resolution<br>

==========<br>

<br>

All OMERO.server users should upgrade to at least 4.3.4:<br>

<br>

 * <a href="http://www.openmicroscopy.org/site/support/omero4/downloads" target="_blank">http://www.openmicroscopy.org/site/support/omero4/downloads</a><br>

<br>

Thanks<br>

======<br>

<br>

Sebastien Besson [1] for notifying the OME team of this security issue.<br>

<br>

 [1] <a href="http://lists.openmicroscopy.org.uk/pipermail/ome-devel/2012-January/002118.html" target="_blank">http://lists.openmicroscopy.org.uk/pipermail/ome-devel/2012-January/002118.html</a><br>

_______________________________________________<br>

ome-users mailing list<br>

<a href="mailto:ome-users@lists.openmicroscopy.org.uk">ome-users@lists.openmicroscopy.org.uk</a><br>

<a href="http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users" target="_blank">http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users</a><br>

</blockquote></div><br></div></div>