Security issue: Users can set their own arbitrary email addresses about lldap HOT 5 CLOSED

It's not currently possible to lock a field. But you might be interested in this issue created today: #570

It'll have to wait until after #67 though, to benefit from the field-level control and modularity.

from lldap.

I'm a bit curious of your threat model: who are your users? Usually LLDAP is meant for a self-hosted case where users are lovingly hand-created by the admin, with a certain amount of trust. At least, that's been the working model so far, without issues. The security features that involve non-user behavior have always been taken seriously, but so far not so much the ones involving user behavior.

(There is one exception to that, something I want to address: since any user can change their email to the email of someone else, they can get admin access to a system that identifies by email. But I'll make emails unique to prevent this)

Notes for future implementers: the email-reset flow is probably too complex, and I don't want to implement rate-limits in LLDAP (you can always do that at the proxy level in front), so if we implement something, it'd be a setting to disable changing your email without admin rights.

from lldap.

Yes, it's really the exception you mentioned that is the serious practical problem:
Currently a user can change their email address to the same address as an app's admin account. Then when they log in to the app using their own account, they'll be identified as the admin and have admin access.

You're right that requiring emails to be unique would solve this security issue, that's probably a better fix!

from lldap.

(Note that it's a breaking change, so the server will not start if you have duplicate emails)

from lldap.

I understand this issue has been closed already. But we ran into a similar, potential security issue.

Requiring emails to be unique within LLDAP definitely solves the issue here, but only if LLDAP is the only source for user authentication. But in our case, we are using ID federation (via Dex) which usually connects multiple ID providers. If I know the email of a user that uses Google for login, and I have an account on LLDAP, it is possible for me to "impersonate" the email of that user by just changing my email on LLDAP. And the solution we use relies on email for identifying users uniquely, regardless if they login via Google, or AD, or in this case LLDAP, same email means same user.

so if we implement something, it'd be a setting to disable changing your email without admin rights.

Is this already possible? Could not find anything in the config. That would at least reduce the risk above.

Another idea: Forced email verification (can be turned on/off via config).
This would apply to new users, as well as to changing the email of existing users. In order to become "active", means a login via LDAP can succeed, the new email must be always confirmed by the email owner first (a similar flow like the password reset). Otherwise, login should fail as if the credentials are wrong.

from lldap.