[ome-devel] [Fwd: Re: OMERO-Matlab: security bug]
seb.besson at googlemail.com
Tue Jan 24 16:37:20 GMT 2012
to complement Jay's answer, when trying to log in using a fake password,
I get successfully denied from Matlab and Insight. I can only create
sessions using an empty string or my true password under Matlab-OMERO.
On Tue, 2012-01-24 at 11:20 -0500, Jay Copeland wrote:
> Hello Josh,
> Sebastien's account is an LDAP account and the LDAP plugin is enabled.
> Can you provide me with the right code snippet to examine the password
> table you referred to?
> On Tue, Jan 24, 2012 at 10:53 AM, Sebastien Besson
> <seb.besson at googlemail.com> wrote:
> Hi Jay,
> do you know about the admin questions of Josh?
> Can we try to modify my password so that we test this bug?
> -------- Forwarded Message --------
> From: Josh Moore <josh at glencoesoftware.com>
> To: seb.besson at gmail.com
> Cc: ome-devel at lists.openmicroscopy.org.uk
> Subject: Re: [ome-devel] OMERO-Matlab: security bug
> Date: Mon, 23 Jan 2012 20:45:40 +0100
> On Jan 23, 2012, at 8:30 PM, Sebastien Besson wrote:
> > Hi everyone,
> Hi Sebastien,
> > Using Matlab 2011a and OMERO.matlab-4.3.3 under Ubuntu
> 10.04, I ran into
> > a serious security issue while connecting to my OME server:
> I do not
> > need to provide a valid password to access my data on the
> > Below are the commands, i use under Matlab
> > % Create client and session
> > client = omero.client('lincs-omero.hms.harvard.edu', 4064);
> > session = client.createSession('sb286', '');
> > % Load datasets
> > param = omero.sys.ParametersI();
> > param.leaves();%indicate to load the images
> > proxy=session.getContainerService();
> > datasetsList =
> proxy.loadContainerHierarchy('omero.model.Dataset', ,
> > param);
> > Sessions with an invalid username return an empty
> datasetsList. I tried
> > with another valid user of this server and I could access
> the data.
> Can you confirm that there is an entry in the 'password' table
> for each of the users you logged in as. The primary key is the
> column experimenter_id column. My guess is that there is an
> entry, but under 'hash' there's an empty string. In this case,
> one can in fact login in with any password. Can you login from
> insight using a fake password? If you change your password in
> insight, the command-line or the API, can you still login with
> the empty password?
> A few other questions: How did your user get created? (via
> LDAP?) Is the LDAP plugin still activated?
> Thanks for helping us to track this down!
> > I tried to duplicate this bug using OMERO insight and I got
> > rejected when trying to login without my password.
> NB: Insight requires a password even in cases where the server
> does not.
> > Best,
> > Sebastien
> Jay Copeland
> Research Technology Coordinator
> Department of Systems Biology - Havard Medical School
> 200 Longwood Ave., WAB 438
> Boston, MA 02115
More information about the ome-devel