[ome-devel] [Fwd: Re: OMERO-Matlab: security bug]

Josh Moore josh at glencoesoftware.com
Tue Jan 24 17:50:34 GMT 2012 

Mark & Sebastien,

This is exactly the issue (https://issues.jfrog.org/jira/browse/RTFACT-3378 et al.) I'll have an extensions.jar ready with exactly what Mark is suggesting this PM. The only apparent workarounds until then are to disable anonymous binding on your LDAP server or disable the LDAP plugin for your OMERO server (locking out your users).

Thanks one and all for helping to track this down.
~Josh

On Jan 24, 2012, at 6:33 PM, Woodbridge, Mark R wrote:

> I don't know whether this is relevant (and apologies if not) but in our custom LDAP authentication module I had to explicitly disallow blank passwords because our LDAP server (Active Directory) only causes Java to throw an exception when you create an InitialLdapContext using an incorrect password, and not if you use an blank one.
> 
> Mark.
> ________________________________________
> From: ome-devel-bounces at lists.openmicroscopy.org.uk [ome-devel-bounces at lists.openmicroscopy.org.uk] on behalf of Sebastien Besson [seb.besson at googlemail.com]
> Sent: 24 January 2012 17:17
> To: Josh Moore
> Cc: ome-devel at lists.openmicroscopy.org.uk; Jay Copeland
> Subject: Re: [ome-devel] [Fwd: Re:  OMERO-Matlab: security bug]
> 
> Hi Josh,
> 
> I had thought of the possibility of a stored password. However, since I
> was able to log in with another user which had never used my machine to
> connect to the server, I don't think this is the case
> 
> Here's my output when using omero.dump=1
> 
> IceSSL.VerifyPeer=0
> omero.ClientCallback.ThreadPool.Size=5
> omero.ClientCallback.Endpoints=tcp
> Ice.ACM.Client=0
> omero.user=sb286
> Ice.MessageSizeMax=65536
> Ice.ImplicitContext=Shared
> Ice.Default.EndpointSelection=Ordered
> Ice.Default.Router=OMERO.Glacier2/router:ssl -p 4064 -h
> lincs-omero.hms.harvard.edu
> IceSSL.Ciphers=NONE (DH_anon)
> Ice.RetryIntervals=-1
> Ice.Plugin.IceSSL=IceSSL.PluginFactory
> Ice.Override.ConnectTimeout=5000
> Ice.Config=
> omero.host=lincs-omero...
> omero.dump=1
> Ice.Default.PreferSecure=1
> omero.port=4064
> 
> Sebastien
> 
> 
> On Tue, 2012-01-24 at 17:52 +0100, Josh Moore wrote:
>> On Jan 24, 2012, at 5:37 PM, Sebastien Besson wrote:
>> 
>>> Hi Josh,
>> 
>> Hi Sebastien,
>> 
>>> to complement Jay's answer, when trying to log in using a fake password,
>>> I get successfully denied from Matlab and Insight. I can only create
>>> sessions using an empty string or my true password under Matlab-OMERO
>> 
>> Is there any possibility that you've set omero.pass in an ice.config file somewhere? If you pass "omero.dump=1" to the omero.client constructor:
>> 
>> props = java.util.Properties();
>> props.setProperty('omero.user','sb286');
>> props.setProperty('omero.host','lincs-omero...');
>> props.setProperty('omero.dump', '1');
>> client = omero.client(props);
>> client.createSession();
>> 
>> What gets printed?
>> ~Josh.
>> 
>>> Sebastien
>>> 
>>> On Tue, 2012-01-24 at 11:20 -0500, Jay Copeland wrote:
>>>> Hello Josh,
>>>> 
>>>> 
>>>> Sebastien's account is an LDAP account and the LDAP plugin is enabled.
>>>> Can you provide me with the right code snippet to examine the password
>>>> table you referred to?
>>>> 
>>>> 
>>>> Thanks.
>>>> 
>>>> 
>>>> Jay
>>>> 
>>>> On Tue, Jan 24, 2012 at 10:53 AM, Sebastien Besson
>>>> <seb.besson at googlemail.com> wrote:
>>>>       Hi Jay,
>>>> 
>>>>       do you know about the admin questions of Josh?
>>>>       Can we try to modify my password so that we test this bug?
>>>> 
>>>>       Sebastien
>>>> 
>>>>       -------- Forwarded Message --------
>>>>       From: Josh Moore <josh at glencoesoftware.com>
>>>>       To: seb.besson at gmail.com
>>>>       Cc: ome-devel at lists.openmicroscopy.org.uk
>>>>       Subject: Re: [ome-devel] OMERO-Matlab: security bug
>>>>       Date: Mon, 23 Jan 2012 20:45:40 +0100
>>>> 
>>>>       On Jan 23, 2012, at 8:30 PM, Sebastien Besson wrote:
>>>> 
>>>>> Hi everyone,
>>>> 
>>>>       Hi Sebastien,
>>>> 
>>>>> Using Matlab 2011a and OMERO.matlab-4.3.3 under Ubuntu
>>>>       10.04, I ran into
>>>>> a serious security issue while connecting to my OME server:
>>>>       I do not
>>>>> need to provide a valid password to access my data on the
>>>>       server.
>>>>> Below are the commands, i use under Matlab
>>>>> 
>>>>> % Create client and session
>>>>> client = omero.client('lincs-omero.hms.harvard.edu', 4064);
>>>>> session = client.createSession('sb286', '');
>>>>> 
>>>>> % Load datasets
>>>>> param = omero.sys.ParametersI();
>>>>> param.leaves();%indicate to load the images
>>>>> proxy=session.getContainerService();
>>>>> datasetsList =
>>>>       proxy.loadContainerHierarchy('omero.model.Dataset', [],
>>>>> param);
>>>>> 
>>>>> Sessions with an invalid username return an empty
>>>>       datasetsList. I tried
>>>>> with another valid user of this server and I could access
>>>>       the data.
>>>> 
>>>>       Can you confirm that there is an entry in the 'password' table
>>>>       for each of the users you logged in as. The primary key is the
>>>>       column experimenter_id column. My guess is that there is an
>>>>       entry, but under 'hash' there's an empty string. In this case,
>>>>       one can in fact login in with any password. Can you login from
>>>>       insight using a fake password? If you change your password in
>>>>       insight, the command-line or the API, can you still login with
>>>>       the empty password?
>>>> 
>>>>       A few other questions: How did your user get created? (via
>>>>       LDAP?) Is the LDAP plugin still activated?
>>>> 
>>>>       Thanks for helping us to track this down!
>>>> 
>>>>> I tried to duplicate this bug using OMERO insight and I got
>>>>       successfully
>>>>> rejected when trying to login without my password.
>>>> 
>>>>       NB: Insight requires a password even in cases where the server
>>>>       does not.
>>>> 
>>>>> Best,
>>>>> Sebastien
>>>> 
>>>>       Cheers,
>>>>       ~Josh.

More information about the ome-devel mailing list