Security advisory (fixed in 1.3.37)

Submitted by Chris Travers on

Security Advisory: LedgerSMB < 1.3.36, Improper Logout on Some Browsers

Severity:  Low (cvssv2 base score: 3.6, total 0.5)
Remotely Exploitable: No
Complexity of Attack:  High
Impact:  Relatively low.
Prerequisite for Attack:  Physical Access to Previously Logged In Browser, so high complexity in most cases.
Attack Vector:  Physical, against client.
Impact:  The attacker may gain access unexpectedly to LedgerSMB using the client's previous credentials.

Background

LedgerSMB uses HTTP authentication, with credentials which are passed through to the database.  This means that the web application is not trusted by the database, and has no permission to the data in the absence of actual user credentials.  Logout works by setting credentials to known bad values (logout:logout) and returning these to the client.  This effectively, to the extent it works, prevents the client from logging in again with the old credentials since they are cleared.

Unfortunately there is some variation in how browsers handle a request to change credentials.  The RFC gives tremendous flexibiltiy to browsers as to when to reuse credentials.  Firefox and some other browsers will re-use credentials until they get either a 401 error from the server or a request to use different credentials.  This is the behavior that the aforementioned versions have relied upon.

Other browsers, including Chrome, do not immediately use credentials requested unless prompted by a 401 error.  This means that sending a request with bad credentials won't actually send the bad credentials unless the web server sends back an error against the good credentials first.  This behavior is counterintuitive for developers and a recipe for security problems, but it is at least in compliance with a technical reading of the RFC.

The result is that unpatched LedgerSMB depends effectively on client-side behavior to log out, and while this may not be ideal, it is totally consistent with HTTP being a stateless protocol (and therefore the client bears responsibility for managing authentication information).  This method of logout is not supported on all browsers.

Browsers which do support a purely client-side logout include Firefox and Internet Explorer.  Those that don't include Chrome.  When used with the latter category, the authentication credentials remain valid until one closes the browser.

To address this, browsers like Chrome must be required to send two round trips to the server, the first to reject the good credentials and the second to accept the bad ones.  Our patch, assuming proper operation of software and network, addresses this.  We still believe it is safer to use browsers, such as Firefox, which support a fully client-side logout.  The reason here is that if a security model requires a working network to make a logout take effect, then breakdowns in the network may introduce temporary vulnerabilities.  This is, however, a fundamental problem with browsers which rely on this and cannot be fixed by web servers using stateless approaches to authentication.

Exploit

After logout (assuming that the browser is not fully closed after), go to the login screen.  Leave the username and password blank.  Type in the db name you want to access under the company name, click Log In, and you may be logged in if the browser authentication cache has not been cleared, or just use the back button to return to the application (as authentication data will be resubmitted on request).

Workaround/How to Mitigate

Assuming single control to each client computer, this issue has only very minor security implications.  A successful attack means breaching any physical security on site.  In systems where this is not the case, client-side security concerns may well eclipse any concerns this raises, which is why we have classified it as "low" in terms of severity.

The obvious mitigation techniques include switching to a browser, such as Firefox, which does support a purely client logout from http authentication.

Another mitigation technique is to close the browser after use.  However this requires trusting users to do things that may not be obvious regarding security.  In Chrome, in cognito windows could be used to effectively prevent this (assuming they are closed after).

Patch Availability

We have a patch available for this issue.  It has not been fully regression tested, and it was committed to our public svn repository for branches/1.3 in svn revision 6518.  It is included in 1.3.37 or you can pull a patch directly from svn.

Final Notes

It is worth remembering that this is an exploit which typically would be against one layer in a relatively deep area of IT defense.  Attacks would require circumventing other routine aspects of IT security and therefore while we do recommend that users take the issue seriously it is not one which is expected to be particularly urgent.

Credit:

Chris Travers discovered this issue.