[ome-devel] [Fwd: Re: OMERO-Matlab: security bug]

Josh Moore josh at glencoesoftware.com
Tue Jan 24 16:49:16 GMT 2012


On Jan 24, 2012, at 5:20 PM, Jay Copeland wrote:

> Hello Josh,

Hi Jay,

> Sebastien's account is an LDAP account and the LDAP plugin is enabled. Can
> you provide me with the right code snippet to examine the password table
> you referred to?

The command is: psql -U omero -h localhost omero -c "select hash from password where experimenter_id = 254" (for Sebastien) but if the LDAP plugin is enabled it's ok for the hash to be empty (as it appears to be).

~Josh

> Thanks.
> 
> Jay
> 
> On Tue, Jan 24, 2012 at 10:53 AM, Sebastien Besson <
> seb.besson at googlemail.com> wrote:
> 
>> Hi Jay,
>> 
>> do you know about the admin questions of Josh?
>> Can we try to modify my password so that we test this bug?
>> 
>> Sebastien
>> 
>> -------- Forwarded Message --------
>> From: Josh Moore <josh at glencoesoftware.com>
>> To: seb.besson at gmail.com
>> Cc: ome-devel at lists.openmicroscopy.org.uk
>> Subject: Re: [ome-devel] OMERO-Matlab: security bug
>> Date: Mon, 23 Jan 2012 20:45:40 +0100
>> 
>> On Jan 23, 2012, at 8:30 PM, Sebastien Besson wrote:
>> 
>>> Hi everyone,
>> 
>> Hi Sebastien,
>> 
>>> Using Matlab 2011a and OMERO.matlab-4.3.3 under Ubuntu 10.04, I ran into
>>> a serious security issue while connecting to my OME server: I do not
>>> need to provide a valid password to access my data on the server.
>>> Below are the commands, i use under Matlab
>>> 
>>> % Create client and session
>>> client = omero.client('lincs-omero.hms.harvard.edu', 4064);
>>> session = client.createSession('sb286', '');
>>> 
>>> % Load datasets
>>> param = omero.sys.ParametersI();
>>> param.leaves();%indicate to load the images
>>> proxy=session.getContainerService();
>>> datasetsList = proxy.loadContainerHierarchy('omero.model.Dataset', [],
>>> param);
>>> 
>>> Sessions with an invalid username return an empty datasetsList. I tried
>>> with another valid user of this server and I could access the data.
>> 
>> Can you confirm that there is an entry in the 'password' table for each of
>> the users you logged in as. The primary key is the column experimenter_id
>> column. My guess is that there is an entry, but under 'hash' there's an
>> empty string. In this case, one can in fact login in with any password. Can
>> you login from insight using a fake password? If you change your password
>> in insight, the command-line or the API, can you still login with the empty
>> password?
>> 
>> A few other questions: How did your user get created? (via LDAP?) Is the
>> LDAP plugin still activated?
>> 
>> Thanks for helping us to track this down!
>> 
>>> I tried to duplicate this bug using OMERO insight and I got successfully
>>> rejected when trying to login without my password.
>> 
>> NB: Insight requires a password even in cases where the server does not.
>> 
>>> Best,
>>> Sebastien
>> 
>> Cheers,
>> ~Josh.
>> 
>> 
>> 
> 
> 
> -- 
> Jay Copeland
> Research Technology Coordinator
> Department of Systems Biology - Havard Medical School
> 200 Longwood Ave., WAB 438
> Boston, MA 02115
> 978-501-0325



More information about the ome-devel mailing list