[ome-devel] OMERO-Matlab: security bug

Josh Moore josh at glencoesoftware.com
Mon Jan 23 19:45:40 GMT 2012

On Jan 23, 2012, at 8:30 PM, Sebastien Besson wrote:

> Hi everyone,

Hi Sebastien,

> Using Matlab 2011a and OMERO.matlab-4.3.3 under Ubuntu 10.04, I ran into
> a serious security issue while connecting to my OME server: I do not
> need to provide a valid password to access my data on the server.
> Below are the commands, i use under Matlab
> % Create client and session
> client = omero.client('lincs-omero.hms.harvard.edu', 4064); 
> session = client.createSession('sb286', '');
> % Load datasets
> param = omero.sys.ParametersI();
> param.leaves();%indicate to load the images
> proxy=session.getContainerService();
> datasetsList = proxy.loadContainerHierarchy('omero.model.Dataset', [],
> param);
> Sessions with an invalid username return an empty datasetsList. I tried
> with another valid user of this server and I could access the data.

Can you confirm that there is an entry in the 'password' table for each of the users you logged in as. The primary key is the column experimenter_id column. My guess is that there is an entry, but under 'hash' there's an empty string. In this case, one can in fact login in with any password. Can you login from insight using a fake password? If you change your password in insight, the command-line or the API, can you still login with the empty password?

A few other questions: How did your user get created? (via LDAP?) Is the LDAP plugin still activated?

Thanks for helping us to track this down!

> I tried to duplicate this bug using OMERO insight and I got successfully
> rejected when trying to login without my password.

NB: Insight requires a password even in cases where the server does not.

> Best,
> Sebastien


More information about the ome-devel mailing list