Moodle

adding some more ppl here

ummm. - this isn't possible IMO in the old plugin I wrote pre Moodle 1.9 (I have to admit I haven't looked at ML's implementation of it much in 1.9, so don't know if it's possible there.....) Martín? - any comments?

I guess this "could" be possible when not using IIS but using a random Apache plugin that didn't check the authentication against anything? (my memory triggers something about a patch someone posted a long time ago before my ntlm plugin that was vulnerable to this....)...unless the new plugin that ML wrote is vulnerable? - Andy, are you able to provide more info about your setup?

thanks,

Dan

HI Andy,

is this the site you are refferring to? - have you tested and managed to exploit this?
http://vle.wyke.ac.uk/moodle/auth/ntlm/oncampuslogin.php

this site looks like they have customised my old ntlm module - that page should give a pop-up ntlm auth box... not that error...... - it's possible that it is configured incorrectly.....

also - I see that server is running Apache under Windows - what are you using in Apache to do the ntlm translation - I'm guessing that this is possibly where the bug sits.

we'd like to fix it if it's a bug in the code, but I'm having trouble replicating it - can you please provide more information to help us debug your issue?

thanks,

Dan

A configuration quirk of that site means that the encoded username is passed as a GET into a server in the DMZ, this makes the process simpler. However the encoded username is still retrieved using the HTTP header (with a pop up box when necessary) therefore it is entirely conceivable that you can modify the header to send different credentials. Although I think it is necessary to be on the same domain for this to work, ie it cannot be done over the internet.

afaik this is only possible when the web server is not running "true" NTLM but accepts any credentials passed (I have seen web servers configured this way!)

when using True NTLM the "credentials" passed to the server are more than just the "username" - excerpt from wikipedia's NTLM page:
http://en.wikipedia.org/wiki/NTLM

1. The client first sends a Type 1 message containing a set of flags of features supported or requested (such as encryption key sizes, request for mutual authentication, etc.) to the server.
2. The server responds with a Type 2 message containing a similar set of flags supported or required by the server (thus enabling an agreement on the authentication parameters between the server and the client) and, more importantly, a random challenge (8 bytes).
3. Finally, the client uses the challenge obtained from the Type 2 message and the user's credentials to calculate the response. The calculation methods differ based on the NTLM authentication parameters negotiated previously, but in general they apply MD4/MD5 hashing algorithms and DES encryption to compute the response. The client then sends the response to the server in a Type 3 message.

The response sent in part 3 - is not just a "username" header. - it contains an md5 which includes the password as well, which is then passed to AD for authentication.

....So if "true" NTLM has been enabled (eg IIS and integrated Authentication) then afaik this is not possible. - BUT if you are using an Apache mod that does not implement true NTLM then that may be where the problem is. - What are you using to perform NTLM?

thanks,

Dan

I completely agree with Dan. If you have configured NTLM on the ntlmsso_magic.php file (MartinL's 1.9 version) or oncampuslogin.php (Dan's version for 1.8 and below), there is no way to spoof the user's credentials. And if you haven't, there is no way Moodle can check it.

As far as I know, web server authentication (like NTLM) is done at the web server level, and is completely invisible to PHP (and therefore Moodle). We only get the username from the $_SERVER variable, but nothing that tells us that that username was actually authenticated via NTLM (or any other web server level authentication method).

Saludos. Iñaki.

Hi Andy,

as the information you have provided sounds like it is a web server configuration issue, I'm flagging this as "not a bug" -If you're using one of the suggested methods of NTLM with apache in the moodle docs, and you have found one of the apache hacks is vulnerable, please let us know so we can update moodle docs.

thanks!

Dan

Agreed with Dan&Iñaki - needs an insecure IIS configuration to be insecure. Not our problem

ummm... "shouldn't" be possible to have an "insecure IIS" NTLM config......more likely it will be an "insecure APACHE" NTLM config....

Dan