alvinsiew / ldap-self-service Goto Github PK

The current code contains a severe security vulnerability which results in arbitrary shell command execution with the rights of the user running the service. If you follow the README's installation instructions, this is the root user, resulting in immediate total system compromise.
The problematic code is here: https://github.com/alvinsiew/ldap-self-service/blob/main/internal/web/web.go#L20-L21

cmd := "ldappasswd -H " + ldapADDR + " -x -D cn=" + u + "," + userDN + " -w " + op + " -s " + np
out, err := exec.Command("bash", "-c", cmd).Output()

If the attacker enters a new password containing a semicolon, everything following it is executed as bash commands. To validate: Enter as new password "whatever ; touch /tmp/hacked" (all other fields don't matter) and validate that the file /tmp/hacked now exists.
Solution: Don't shell out for changing the password but use a Go LDAP library like https://pkg.go.dev/github.com/go-ldap/ldap/v3#Conn.PasswordModify instead.

this looks great but it would not help with the lost passwort problem.

could you add the lost passwort via email
and a ohter methode you can modfiy for example exec a tool that gets as an paramater a token (that was sat as password by your software) and the other infos int he tree like mobiel phonenummer .... you get he idea
so in my case i can then forward this toeken to the sendsms tool with the infos you only have to document the the parameters

ex. ldapss-<sms|email|....> -t token .p phone - e email -x ......

but mobilephone and email woudl be a gret start.

wfg
Mario