We released 2 minor versions of SSOwat 2.6.6 and 2.6.7, the tool handling user authentication for YunoHost, to include two security fixes, two security improvements and one bug fix.
In includes the first security fix, when you install an application on YunoHost, you can tell which users are allowed to access it. Following a bug report by siddy we discovered that if a YunoHost user request using basic HTTP authentication (this is not the standard way to use the authentication), his permissions to access a specific app were not checked thus allowing him or her to access applications for which he did not have permissions.
To make it clear, for this bug to be exploited, someone needs to:
- have a user account on the YunoHost instance
- have a restricted access to an application
- know that this application exists and its URL
- know that the application is only protected by the SSO
- be aware of basic HTTP Auth and know how to use it (not that hard but still)
It includes the second security fix, which, currently SSOwat is storing a series of information in memory on the cache, in the situation in which a user is going to a different domain protected by SSOwat than the domain used for login, his/her browser sends a special request with a key that SSOwat uses to look up for the good information in the cache and returns it to the user. The problem is that this key is not filtered so this allows the user to look at the cache which can contain critical information (a thing that we plan on changing). This is also a bug report (and this time) a fix by sidddy.
For this bug to be exploited:
- someone needs to have an account on the YunoHost instance
- the YunoHost instance uses several domains
- be able to forge this request (it’s pretty easy if you are a bit tech)
Regarding the security improvement we use:
- a stronger hashing algorithm for the token generation (hmac_sha512)
- a cryptographic secure random number generator
Regarding the bug fix:
- we removed a useless information at the authentication token’s creation that was causing the infamous “infinite redirection bug”
We very strongly recommend you to upgrade the SSOwat package as soon as possible (while you are safe if you are alone on your YunoHost, the security improvements are really recommended).
This is a good opportunity to repeat our main advice (read: What YunoHost is not):
you can host your friends, your family and your company safely and with ease, but you have to trust your users, and they have to trust you above all. If you do want to provide YunoHost services for unknown persons anyway, a full VPS per user will be just fine, and we believe is a better way to go.
Upgrading is pretty simple: use the update feature in the administration page or alternatively, use the following command line logged as root:
apt-get update && apt-get dist-upgrade
We thank you for your trust and we committed to always improve YunoHost’ security.
We also thank a lot sidddy for his bug reports, help and contribution to improve the security in YunoHost.