Nginx, by default doesn't come with LDAP integration. There is an addon script though that enables it to integrate with LDAP called nginx-auth-ldap.
I've recently been tasked to come up with an implementation of this using docker virtualization technology and just wanted to share this so other won't have to go through the same process I did when I was testing this out.
Dockerfile content below:
# Nginx-Auth-LDAP Dockerfile
FROM ubuntu:latest
RUN apt-get update
RUN apt-get install -y wget build-essential libldap2-dev libssl-dev zlib1g-dev libpcre3 libpcre3-dev git libc6 libexpat1 libgd2-xpm-dev libgeoip1 libgeoip-dev libpam0g libssl1.0.0 libxml2 libxslt1.1 libxslt-dev zlib1g perl openssl
RUN cd /root && wget http://nginx.org/download/nginx-1.6.0.tar.gz && tar xvzf nginx-1.6.0.tar.gz
RUN cd /root/nginx-1.6.0 && git clone https://github.com/kvspb/nginx-auth-ldap.git
RUN mkdir -p /opt/nginx
ADD config /root/nginx-1.6.0/nginx-auth-ldap/config
RUN cd /root/nginx-1.6.0 && ./configure --prefix=/opt/nginx --user=www-data --group=www-data --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --add-module=nginx-auth-ldap && make && make install
ADD nginx /etc/init.d/nginx
RUN chmod +x /etc/init.d/nginx
ADD nginx.conf /opt/nginx/conf/nginx.conf
VOLUME ["/data", "/opt/nginx/sites-enabled", "/opt/nginx/log"]
EXPOSE 8000
WORKDIR /opt/nginx
CMD ["/etc/init.d/nginx", "start"]
config file content:
ngx_addon_name=ngx_http_auth_ldap_module
HTTP_MODULES="$HTTP_MODULES ngx_http_auth_ldap_module"
NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_ldap_module.c"
CORE_LIBS="$CORE_LIBS -lldap -llber"
case "$NGX_PLATFORM" in
SunOS:*)
CORE_LIBS="$CORE_LIBS -llber"
;;
esac
CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS"
nginx.conf file content:
worker_processes 1;
events {
worker_connections 1024;
}
http {
ldap_server test1 {
url ldap://ldapurl/DC=maindc,DC=com?sAMAccountName?sub?(objectClass=person);
binddn "cn=root";
binddn_passwd password;
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
}
server {
listen 8000;
server_name localhost;
auth_ldap "Forbidden";
auth_ldap_servers test1;
location / {
root html;
index index.html index.htm;
}
}
}
nginx file content:
#! /bin/sh
### BEGIN INIT INFO
* Provides: nginx
* Required-Start: $all
* Required-Stop: $all
* Default-Start: 2 3 4 5
* Default-Stop: 0 1 6
* Short-Description: starts the nginx web server
* Description: starts nginx using start-stop-daemon
### END INIT INFO
PATH=/opt/nginx/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/opt/nginx/sbin/nginx
NAME=nginx
DESC=nginx
test -x $DAEMON || exit 0
* Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
. /etc/default/nginx
fi
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON
sleep 1
start-stop-daemon --start --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
reload)
echo -n "Reloading $DESC configuration: "
start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
exit 1
;;
esac
exit 0
Monday, September 8, 2014
Thursday, September 4, 2014
Tuesday, August 5, 2014
SAP HANA XS Missing encryption in form-based authentication
Onapsis Security Advisory 2014-021: SAP HANA XS Missing encryption in
form-based authentication
This advisory can be downloaded in PDF format from
http://www.onapsis.com/.
1. Impact on Business
SAP HANA XS does not enforce any encryption in the form based
authentication. It
could allow an anonymous user to get information such as valid
credentials from
network traffic, gaining access into the system.
Risk Level: Low
2. Advisory Information
- Public Release Date: 2014-07-29
- Subscriber Notification Date: 2014-07-29
- Last Revised: 2014-07-25
- Security Advisory ID: ONAPSIS-2014-021
- Onapsis SVS ID: ONAPSIS-0094
- Researcher: Sergio Abraham, Manuel Muradas
- Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
3. Vulnerability Information
- Vendor: SAP
- Affected Components:
- SAP HANA Extended Application Services (Check SAP Note 1963932 for
detailed information on affected releases)
- Vulnerability Class: Cleartext Transmission of Sensitive Information
(CWE-319)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: No
- Detection Module available in Onapsis X1: Yes
- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021
4. Affected Components Description
SAP HANA Extended Application Services (XS) is an application server,
web server and development environment for web applications within the SAP HANA System.
SAP HANA XS is fully integrated with the SAP HANA Database.
5. Vulnerability Details
SAP HANA Extend Application Services (XS) based applications can be set to be ?form based
authentication? access using SSL. When this configuration is set, the authentication
mechanism does not properly enforce the required level of encryption.
Technical details about this issue are not disclosed at this moment with
the purpose of providing enough time to affected customers to patch their systems and
protect against the exploitation of the described vulnerability.
6. Solution
SAP has released SAP Note 1963932 which provides patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1963932.
Onapsis strongly recommends SAP customers to download the related security fixes and
apply them to the affected components in order to reduce business risks.
form-based authentication
This advisory can be downloaded in PDF format from
http://www.onapsis.com/.
1. Impact on Business
SAP HANA XS does not enforce any encryption in the form based
authentication. It
could allow an anonymous user to get information such as valid
credentials from
network traffic, gaining access into the system.
Risk Level: Low
2. Advisory Information
- Public Release Date: 2014-07-29
- Subscriber Notification Date: 2014-07-29
- Last Revised: 2014-07-25
- Security Advisory ID: ONAPSIS-2014-021
- Onapsis SVS ID: ONAPSIS-0094
- Researcher: Sergio Abraham, Manuel Muradas
- Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
3. Vulnerability Information
- Vendor: SAP
- Affected Components:
- SAP HANA Extended Application Services (Check SAP Note 1963932 for
detailed information on affected releases)
- Vulnerability Class: Cleartext Transmission of Sensitive Information
(CWE-319)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: No
- Detection Module available in Onapsis X1: Yes
- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021
4. Affected Components Description
SAP HANA Extended Application Services (XS) is an application server,
web server and development environment for web applications within the SAP HANA System.
SAP HANA XS is fully integrated with the SAP HANA Database.
5. Vulnerability Details
SAP HANA Extend Application Services (XS) based applications can be set to be ?form based
authentication? access using SSL. When this configuration is set, the authentication
mechanism does not properly enforce the required level of encryption.
Technical details about this issue are not disclosed at this moment with
the purpose of providing enough time to affected customers to patch their systems and
protect against the exploitation of the described vulnerability.
6. Solution
SAP has released SAP Note 1963932 which provides patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1963932.
Onapsis strongly recommends SAP customers to download the related security fixes and
apply them to the affected components in order to reduce business risks.
Tuesday, July 29, 2014
Multiple Hard-coded Usernames in SAP components
Onapsis Security Advisories: Multiple Hard-coded Usernames (CWE-798) have
been found and patched in a variety of SAP components.
Summaries of the advisories with links to full versions follow:
1. ONAPSIS-2014-011-SAP Project System Structures and Project-Oriented
Procurement Hard-coded credentials
=======================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Affected Components:
* Project System
* Structures
* Project-Oriented Procurement
(Check SAP Note 1791081 for detailed information on affected releases)
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-011
2. ONAPSIS-2014-012-SAP Brazil Specific Add-On Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note:1768049
-- Affected Components:
* Brazil Specific Add-On
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-012
3. ONAPSIS-2014-013-SAP OIL Industry Solution Traders and Schedulers
Workbench Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.6 (AV:N/AC:H/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1920323
-- Affected Components:
* SAP Oil Industry Solution Traders and Schedulers Workbench
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-013
4. ONAPSIS-2014-014-SAP Upgrade tools for ABAP Hard-coded credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:N/I:P/A:P)
-- Fix in SAP Note: 1915873
-- Affected Components:
* SAP Upgrade Tools
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-014
5. ONAPSIS-2014-015-SAP Web Services Tool Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note: 1914777
-- Affected Components:
* SAP Web Services Tool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-015
6. ONAPSIS-2014-016-SAP CCMS Monitoring Hard-coded Credentials
==============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1911174
-- Affected Components:
* SAP CCMS Monitoring
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-016
7. ONAPSIS-2014-017-SAP Transaction Data Pool Hard-coded Credentials
====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1795463
-- Affected Components:
* SAP Transaction Data Pool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-017
8. ONAPSIS-2014-018-SAP Capacity Leveling Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1789569
-- Affected Components:
* SAP Capacity Leveling
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-018
9. ONAPSIS-2014-019-SAP Open Hub Service Hard-coded Credentials
===============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N)
-- Fix in SAP Note: 1738965
-- Affected Components:
* SAP Open Hub Service
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-019
been found and patched in a variety of SAP components.
Summaries of the advisories with links to full versions follow:
1. ONAPSIS-2014-011-SAP Project System Structures and Project-Oriented
Procurement Hard-coded credentials
=======================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Affected Components:
* Project System
* Structures
* Project-Oriented Procurement
(Check SAP Note 1791081 for detailed information on affected releases)
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-011
2. ONAPSIS-2014-012-SAP Brazil Specific Add-On Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note:1768049
-- Affected Components:
* Brazil Specific Add-On
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-012
3. ONAPSIS-2014-013-SAP OIL Industry Solution Traders and Schedulers
Workbench Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.6 (AV:N/AC:H/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1920323
-- Affected Components:
* SAP Oil Industry Solution Traders and Schedulers Workbench
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-013
4. ONAPSIS-2014-014-SAP Upgrade tools for ABAP Hard-coded credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:N/I:P/A:P)
-- Fix in SAP Note: 1915873
-- Affected Components:
* SAP Upgrade Tools
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-014
5. ONAPSIS-2014-015-SAP Web Services Tool Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note: 1914777
-- Affected Components:
* SAP Web Services Tool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-015
6. ONAPSIS-2014-016-SAP CCMS Monitoring Hard-coded Credentials
==============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1911174
-- Affected Components:
* SAP CCMS Monitoring
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-016
7. ONAPSIS-2014-017-SAP Transaction Data Pool Hard-coded Credentials
====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1795463
-- Affected Components:
* SAP Transaction Data Pool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-017
8. ONAPSIS-2014-018-SAP Capacity Leveling Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1789569
-- Affected Components:
* SAP Capacity Leveling
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-018
9. ONAPSIS-2014-019-SAP Open Hub Service Hard-coded Credentials
===============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N)
-- Fix in SAP Note: 1738965
-- Affected Components:
* SAP Open Hub Service
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-019
SAP SLD Information Tampering
Onapsis Security Advisory 2014-020: SAP SLD Information Tampering
1. Impact on Business
=====================
By exploiting this vulnerability, a remote unauthenticated attacker
might be able to
modify technical information about the SAP systems potentially leading
to a full compromise of all business information.
Risk Level: High
2. Advisory Information
=======================
-- Public Release Date: 2014-06-06
-- Subscriber Notification Date: 2014-06-06
-- Last Revised: 2014-06-06
-- Security Advisory ID: ONAPSIS-2014-020
-- Onapsis SVS ID: ONAPSIS-SVS00081
-- Researchers: Jordan Santarsieri, Pablo Muller, Juan Perez-Etchegoyen
-- Initial Base CVSS v2: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
3. Vulnerability Information
============================
-- Vendor: SAP
-- Affected Components:
* SAP System Landscape Directory (available in all SAP JAVA App Servers)
(Check SAP Note 1939334 for detailed information on affected releases)
-- Vulnerability Class: Improper Handling of Insufficient Permissions
or Privileges (CWE-280)
-- Remotely Exploitable: Yes
-- Locally Exploitable: No
-- Authentication Required: No
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-020
4. Affected Components Description
==================================
According to the vendor, ?The System Landscape Directory (SLD) of SAP
NetWeaver is the central
source of system landscape information relevant for the management of
your software life-cycle?[1].
5. Vulnerability Details
========================
The SLD is a central repository of technical and SAP systems-related
information. The mechanism
used to add new systems to the SLD is not properly secured by default,
meaning that a remote
unauthenticated attacker could interact with the SLD and because of its
architectural design,
it could lead to a full SAP SLD system compromise.
Technical details about this issue are not disclosed at this moment with
the purpose of
providing enough time to affected customers to patch their systems and
protect against
the exploitation of the described vulnerability.
6. Solution
===========
SAP has released SAP Note 1939334 which provide patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1939334.
Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected
components in order to reduce business risks.
1. Impact on Business
=====================
By exploiting this vulnerability, a remote unauthenticated attacker
might be able to
modify technical information about the SAP systems potentially leading
to a full compromise of all business information.
Risk Level: High
2. Advisory Information
=======================
-- Public Release Date: 2014-06-06
-- Subscriber Notification Date: 2014-06-06
-- Last Revised: 2014-06-06
-- Security Advisory ID: ONAPSIS-2014-020
-- Onapsis SVS ID: ONAPSIS-SVS00081
-- Researchers: Jordan Santarsieri, Pablo Muller, Juan Perez-Etchegoyen
-- Initial Base CVSS v2: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
3. Vulnerability Information
============================
-- Vendor: SAP
-- Affected Components:
* SAP System Landscape Directory (available in all SAP JAVA App Servers)
(Check SAP Note 1939334 for detailed information on affected releases)
-- Vulnerability Class: Improper Handling of Insufficient Permissions
or Privileges (CWE-280)
-- Remotely Exploitable: Yes
-- Locally Exploitable: No
-- Authentication Required: No
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-020
4. Affected Components Description
==================================
According to the vendor, ?The System Landscape Directory (SLD) of SAP
NetWeaver is the central
source of system landscape information relevant for the management of
your software life-cycle?[1].
5. Vulnerability Details
========================
The SLD is a central repository of technical and SAP systems-related
information. The mechanism
used to add new systems to the SLD is not properly secured by default,
meaning that a remote
unauthenticated attacker could interact with the SLD and because of its
architectural design,
it could lead to a full SAP SLD system compromise.
Technical details about this issue are not disclosed at this moment with
the purpose of
providing enough time to affected customers to patch their systems and
protect against
the exploitation of the described vulnerability.
6. Solution
===========
SAP has released SAP Note 1939334 which provide patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1939334.
Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected
components in order to reduce business risks.
Thursday, January 9, 2014
Hack in the Box Magazine
I'm an avid reader of eBooks and IT Security has taken my curiosity for quite a while now. There are a number of online forums and references available and a few sites that serve as testing ground for would-be IT Security enthusiasts. Right now though what caught my attention is a site that caters for a free version of their magazine HITB Magazine.
True to the idea of the Open Source community, this site offers this knowledge rich reference for free. So far, they have been able to release issues on a regular basis (I wonder though how long that will last). It's like an FHM for for hackers :) and I'd recommend it for people who want to get updated on the who's who and what's what of the IT Security world.
True to the idea of the Open Source community, this site offers this knowledge rich reference for free. So far, they have been able to release issues on a regular basis (I wonder though how long that will last). It's like an FHM for for hackers :) and I'd recommend it for people who want to get updated on the who's who and what's what of the IT Security world.
Subscribe to:
Posts (Atom)