[ome-devel] [Fwd: Re: OMERO-Matlab: security bug]

Tue Jan 24 17:17:24 GMT 2012

Hi Josh,

I had thought of the possibility of a stored password. However, since I
was able to log in with another user which had never used my machine to
connect to the server, I don't think this is the case

Here's my output when using omero.dump=1

IceSSL.VerifyPeer=0
omero.ClientCallback.ThreadPool.Size=5
omero.ClientCallback.Endpoints=tcp
Ice.ACM.Client=0
omero.user=sb286
Ice.MessageSizeMax=65536
Ice.ImplicitContext=Shared
Ice.Default.EndpointSelection=Ordered
Ice.Default.Router=OMERO.Glacier2/router:ssl -p 4064 -h
lincs-omero.hms.harvard.edu
IceSSL.Ciphers=NONE (DH_anon)
Ice.RetryIntervals=-1
Ice.Plugin.IceSSL=IceSSL.PluginFactory
Ice.Override.ConnectTimeout=5000
Ice.Config=
omero.host=lincs-omero...
omero.dump=1
Ice.Default.PreferSecure=1
omero.port=4064

Sebastien

On Tue, 2012-01-24 at 17:52 +0100, Josh Moore wrote:
> On Jan 24, 2012, at 5:37 PM, Sebastien Besson wrote:
> 
> > Hi Josh,
> 
> Hi Sebastien,
> 
> > to complement Jay's answer, when trying to log in using a fake password,
> > I get successfully denied from Matlab and Insight. I can only create
> > sessions using an empty string or my true password under Matlab-OMERO
> 
> Is there any possibility that you've set omero.pass in an ice.config file somewhere? If you pass "omero.dump=1" to the omero.client constructor:
> 
> props = java.util.Properties();
> props.setProperty('omero.user','sb286');
> props.setProperty('omero.host','lincs-omero...');
> props.setProperty('omero.dump', '1');
> client = omero.client(props);
> client.createSession();
> 
> What gets printed?
> ~Josh.
> 
> > Sebastien
> > 
> > On Tue, 2012-01-24 at 11:20 -0500, Jay Copeland wrote:
> >> Hello Josh,
> >> 
> >> 
> >> Sebastien's account is an LDAP account and the LDAP plugin is enabled.
> >> Can you provide me with the right code snippet to examine the password
> >> table you referred to?
> >> 
> >> 
> >> Thanks.
> >> 
> >> 
> >> Jay
> >> 
> >> On Tue, Jan 24, 2012 at 10:53 AM, Sebastien Besson
> >> <seb.besson at googlemail.com> wrote:
> >>        Hi Jay,
> >> 
> >>        do you know about the admin questions of Josh?
> >>        Can we try to modify my password so that we test this bug?
> >> 
> >>        Sebastien
> >> 
> >>        -------- Forwarded Message --------
> >>        From: Josh Moore <josh at glencoesoftware.com>
> >>        To: seb.besson at gmail.com
> >>        Cc: ome-devel at lists.openmicroscopy.org.uk
> >>        Subject: Re: [ome-devel] OMERO-Matlab: security bug
> >>        Date: Mon, 23 Jan 2012 20:45:40 +0100
> >> 
> >>        On Jan 23, 2012, at 8:30 PM, Sebastien Besson wrote:
> >> 
> >>> Hi everyone,
> >> 
> >>        Hi Sebastien,
> >> 
> >>> Using Matlab 2011a and OMERO.matlab-4.3.3 under Ubuntu
> >>        10.04, I ran into
> >>> a serious security issue while connecting to my OME server:
> >>        I do not
> >>> need to provide a valid password to access my data on the
> >>        server.
> >>> Below are the commands, i use under Matlab
> >>> 
> >>> % Create client and session
> >>> client = omero.client('lincs-omero.hms.harvard.edu', 4064);
> >>> session = client.createSession('sb286', '');
> >>> 
> >>> % Load datasets
> >>> param = omero.sys.ParametersI();
> >>> param.leaves();%indicate to load the images
> >>> proxy=session.getContainerService();
> >>> datasetsList =
> >>        proxy.loadContainerHierarchy('omero.model.Dataset', [],
> >>> param);
> >>> 
> >>> Sessions with an invalid username return an empty
> >>        datasetsList. I tried
> >>> with another valid user of this server and I could access
> >>        the data.
> >> 
> >>        Can you confirm that there is an entry in the 'password' table
> >>        for each of the users you logged in as. The primary key is the
> >>        column experimenter_id column. My guess is that there is an
> >>        entry, but under 'hash' there's an empty string. In this case,
> >>        one can in fact login in with any password. Can you login from
> >>        insight using a fake password? If you change your password in
> >>        insight, the command-line or the API, can you still login with
> >>        the empty password?
> >> 
> >>        A few other questions: How did your user get created? (via
> >>        LDAP?) Is the LDAP plugin still activated?
> >> 
> >>        Thanks for helping us to track this down!
> >> 
> >>> I tried to duplicate this bug using OMERO insight and I got
> >>        successfully
> >>> rejected when trying to login without my password.
> >> 
> >>        NB: Insight requires a password even in cases where the server
> >>        does not.
> >> 
> >>> Best,
> >>> Sebastien
> >> 
> >>        Cheers,
> >>        ~Josh.
> >> 
> 