User Agent: Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20150122214805 Steps to reproduce: When I impersonate a user, I'm requested a password before beginning the session. However, even if I leave the password empty, the session is stared without any trouble. It is as if the password was not checked at all. I've seen issues in bugzilla related to the use of LDAP. In my case, I use LDAP.
I can reproduce the issue on 4.4.8 and master. 4.2.x and older are not affected.
Assignee: general → administration
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → Administration
Ever confirmed: true
Target Milestone: --- → Bugzilla 4.4
Looks like I regressed this in Bugzilla 4.4.3 due to bug 713926.
Depends on: 713926
Version: 4.4.7 → 4.4.3
Ah, I found what the problem is. In relogin.cgi, when we generate login_request_token, the impersonator is already logged in, and so his user ID is used as data to generate the token. But when we validate the token after the form submission, the user is not yet authenticated, and so his user ID is not yet known, and issue_hash_token() falls back to the IP address as data. This means that the generated token doesn't match the initial one, and the validation fails, and so the Bugzilla::Auth system falls back to the existing login cookie of the impersonator, which exists and is valid, which is why the password is silently ignored.
Assignee: administration → LpSolit
Status: NEW → ASSIGNED
We must momentarily unset the user ID when generating the token as this information is not available when authenticating the user credentials.
Attachment #8564457 - Flags: review?(dkl)
Decreasing the severity based on the discussion which took place in bug 502649. mkanat suggested to drop this extra password check before starting a sudo session. The impersonator must already be logged in and must have the required privs, and so this regression doesn't let you abuse Bugzilla to become an impersonator if you don't already have the required privs.
Severity: critical → major
Comment on attachment 8564457 [details] [diff] [review] patch, v1 Review of attachment 8564457 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8564457 - Flags: review?(dkl) → review+
To ssh://email@example.com/bugzilla/bugzilla.git 9f76caa..10aa3f0 master -> master To ssh://firstname.lastname@example.org/bugzilla/bugzilla.git b4c5ed1..c473640 5.0 -> 5.0 To ssh://email@example.com/bugzilla/bugzilla.git 24b471d..0a18f0f 4.4 -> 4.4
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Summary: Impersonate does not check the confirmation password requested before Starting the session → When starting a sudo session, the password is not validated
You need to log in before you can comment on or make changes to this bug.