[ome-devel] [Fwd: Re: OMERO-Matlab: security bug]

Josh Moore josh at glencoesoftware.com
Tue Jan 24 16:52:07 GMT 2012 

On Jan 24, 2012, at 5:37 PM, Sebastien Besson wrote:

> Hi Josh,

Hi Sebastien,

> to complement Jay's answer, when trying to log in using a fake password,
> I get successfully denied from Matlab and Insight. I can only create
> sessions using an empty string or my true password under Matlab-OMERO

Is there any possibility that you've set omero.pass in an ice.config file somewhere? If you pass "omero.dump=1" to the omero.client constructor:

props = java.util.Properties();
props.setProperty('omero.user','sb286');
props.setProperty('omero.host','lincs-omero...');
props.setProperty('omero.dump', '1');
client = omero.client(props);
client.createSession();

What gets printed?
~Josh.

> Sebastien
> 
> On Tue, 2012-01-24 at 11:20 -0500, Jay Copeland wrote:
>> Hello Josh,
>> 
>> 
>> Sebastien's account is an LDAP account and the LDAP plugin is enabled.
>> Can you provide me with the right code snippet to examine the password
>> table you referred to?
>> 
>> 
>> Thanks.
>> 
>> 
>> Jay
>> 
>> On Tue, Jan 24, 2012 at 10:53 AM, Sebastien Besson
>> <seb.besson at googlemail.com> wrote:
>>        Hi Jay,
>> 
>>        do you know about the admin questions of Josh?
>>        Can we try to modify my password so that we test this bug?
>> 
>>        Sebastien
>> 
>>        -------- Forwarded Message --------
>>        From: Josh Moore <josh at glencoesoftware.com>
>>        To: seb.besson at gmail.com
>>        Cc: ome-devel at lists.openmicroscopy.org.uk
>>        Subject: Re: [ome-devel] OMERO-Matlab: security bug
>>        Date: Mon, 23 Jan 2012 20:45:40 +0100
>> 
>>        On Jan 23, 2012, at 8:30 PM, Sebastien Besson wrote:
>> 
>>> Hi everyone,
>> 
>>        Hi Sebastien,
>> 
>>> Using Matlab 2011a and OMERO.matlab-4.3.3 under Ubuntu
>>        10.04, I ran into
>>> a serious security issue while connecting to my OME server:
>>        I do not
>>> need to provide a valid password to access my data on the
>>        server.
>>> Below are the commands, i use under Matlab
>>> 
>>> % Create client and session
>>> client = omero.client('lincs-omero.hms.harvard.edu', 4064);
>>> session = client.createSession('sb286', '');
>>> 
>>> % Load datasets
>>> param = omero.sys.ParametersI();
>>> param.leaves();%indicate to load the images
>>> proxy=session.getContainerService();
>>> datasetsList =
>>        proxy.loadContainerHierarchy('omero.model.Dataset', [],
>>> param);
>>> 
>>> Sessions with an invalid username return an empty
>>        datasetsList. I tried
>>> with another valid user of this server and I could access
>>        the data.
>> 
>>        Can you confirm that there is an entry in the 'password' table
>>        for each of the users you logged in as. The primary key is the
>>        column experimenter_id column. My guess is that there is an
>>        entry, but under 'hash' there's an empty string. In this case,
>>        one can in fact login in with any password. Can you login from
>>        insight using a fake password? If you change your password in
>>        insight, the command-line or the API, can you still login with
>>        the empty password?
>> 
>>        A few other questions: How did your user get created? (via
>>        LDAP?) Is the LDAP plugin still activated?
>> 
>>        Thanks for helping us to track this down!
>> 
>>> I tried to duplicate this bug using OMERO insight and I got
>>        successfully
>>> rejected when trying to login without my password.
>> 
>>        NB: Insight requires a password even in cases where the server
>>        does not.
>> 
>>> Best,
>>> Sebastien
>> 
>>        Cheers,
>>        ~Josh.
>>

More information about the ome-devel mailing list