[SAC] LDAP users still being created during maintainance

Sandro Santilli strk at keybit.net
Wed May 11 09:45:44 PDT 2016


On Wed, May 11, 2016 at 09:05:24AM -0700, Frank Warmerdam wrote:
> I did this.
> 
> People need to create IDs!

How about moving the creation script under auth/, allowing
users from specific project groups to create more users ?

Then the maintainance page could report something like:
"ask another OSGeo User to create the account for you"

But I understand this would be problematic as whoever creates
the user needs to know the user password, correct ?

--strk;

> On May 11, 2016 8:46 AM, "Sandro Santilli" <strk at keybit.net> wrote:
> 
> > I spotted a new user which was created _after_ we put the form
> > back to maintainance mode. The POST was directly done to the
> > renamed script. I think the renamed script URL was at some point
> > found in the form but I don't know who made the change.
> >
> > The files modification dates are (UTC):
> >
> >    May 10 06:41 for the renamed script with exposed new url
> >    May  9 13:39 for the renamed script with no exposed new url
> >    May  9 18:31 when the form was put in maintainance mode
> >
> > The POST to renamed script happened 24 hours after the exposed url
> >
> >    11/May/2016:05:54:01 -0700
> >
> > And resulted in the creation of a "vvk" user (with .ru email address):
> >
> >    createTimestamp: 20160511125401Z
> >
> > The POST came from ip 77.242.110.178, which also issued a GET
> > for the the renamed-form URL at:
> >
> >    11/May/2016:05:51:36 -0700
> >
> > The very first request to the renamed script was issued on
> >
> >    [09/May/2016:22:59:33 -0700] from 173.247.202.130
> >    That is:  May 10 05:59 UTC
> >
> > For now I removed the execute bit from the disabled script, but let
> > me know if it was an "internal" backdoor legitimately used.
> >
> > --strk;


More information about the Sac mailing list