LDAP User Authentication with Complicated Password

[penfold1972]

/!\ To report a security issue please follow this procedure:
[https://github.com/OpenNebula/one/wiki/Vulnerability-Management-Process]

Description
While testing LDAP user authentication, a user with a password that contains a component that can be URI encoded globbers the password being submitted to LDAP.

To Reproduce
Create a user in LDAP with "Pass%22word" and then try to login as that user in fireedge/sunstone. The password gets encoded to "Pass@word" during the LDAP BIND as that user. However, if you type "Pass%2522word" into the web interface, it gets encoded to the correct password "Pass%22word" and succeeds.

Expected behavior
The expected behavior is for the characters a user enters into the password field to be processed in such a way that they are submitted to LDAP as entered verbatim. I would also expect the input to be processed/escaped to avoid the normal hacks (e.g. SQL injection, etc)

Details

• Affected Component: [ Sunstone / FireEdge ]
• Hypervisor: KVM
• Version: 7.0.0

Additional context
Add any other context about the problem here.

Progress Status

• Code committed
• Testing - QA
• Documentation (Release notes - resolved issues, compatibility, known issues)

[miracleheras]

After the discussion with @xorel
We can inform that this issue is coming from LDAP auth driver.

1. Password is wrong in the auth driver

# echo "<AUTHN> <USERNAME>usertest</USERNAME> <PASSWORD>-</PASSWORD> <SECRET>Pass%22word</SECRET> </AUTHN>" | /var/lib/one/remotes/auth/ldap/authenticate
Trying LDAP server serverA 
"uid=usertest,ou=people,dc=orgA"
"Pass\"word"                     <<<<<<
Bad user/password
Could not authenticate user usertest

2. Password is sen't correctly from CLI

08:45:57.121565 IP 127.0.0.1.51972 > 127.0.0.1.2633: Flags [P.], seq 211:385, ack 1, win 342, options [nop,nop,TS val 3728025339 ecr 3728025339], length 174
E.....@.@..o..........
IR.z.Q.I....V.......
.5&..5&.<?xml version="1.0" ?><methodCall><methodName>one.userpool.info</methodName><params><param><value><string>usertest:Pass%22word</string></value></param></params></methodCall>

[penfold1972]

I had assumed that it was happening in the actual web interface when the user entered the password.

If the password is Pass%22word for usertest, this will work:
echo "<AUTHN> <USERNAME>usertest</USERNAME> <PASSWORD>-</PASSWORD> <SECRET>Pass%2522word</SECRET> </AUTHN>" | /var/lib/one/remotes/auth/ldap/authenticate
This URI encodes the "%" in the password, so "Pass%22word" is actually passed to the LDAP server. But the user wouldn't have a way of knowing that behavior or work around.

I never tested the CLI, so I am glad to hear that is not experiencing the issue.