Open-AudIT

What's on your network?
It is currently Fri Jan 19, 2018 6:01 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Thu Nov 24, 2016 2:42 am 
Offline
Newbie

Joined: Tue Nov 22, 2016 1:50 am
Posts: 1
Hi All, when attempting to retrieve a valid auth token regardless of the credentials I always get {"valid": false, "admin": false} as a response. See detailed commands below

curl -L -v -u open-audit_enterprise -H "Content-Type: applicatil+json" -c ./cookiefile -XGET "http://localhost/open-audit/index.php/login/login_auth"
Enter host password for user 'open-audit_enterprise':
* About to connect() to localhost port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'open-audit_enterprise'
> GET /open-audit/index.php/login/login_auth HTTP/1.1
> Authorization: Basic b3Blbi1hdWRpdF9lbnRlcnByaXNlOnMwMHBBS2lYOg==
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: */*
> Content-Type: applicatil+json
>
< HTTP/1.1 200 OK
< Date: Wed, 23 Nov 2016 16:32:38 GMT
< Server: Apache/2.2.15 (CentOS)
< X-Powered-By: PHP/5.3.3
* Added cookie PHPSESSID="carogn77idh05pv2n705odnmb1" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=carogn77idh05pv2n705odnmb1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Content-Length: 32
< Connection: close
< Content-Type: application/json
<
* Closing connection #0
{"valid": false, "admin": false}

Despite being issued a cookie, when I try to use it, it rejects any API query I may choose to issue

Open Audit version 1.12.8.1


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 24, 2016 8:14 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1225
Login code in controllers\login.php looks to URI segment 3 and 4 for username and password or POST variables username and password. So try "http://localhost/open-audit/index.php/login/login_auth/specify_username/specify_password"

It does look like the response is not correct for a properly authenticated LDAP login for a non-admin user. Seems like line 386
Code:
echo '{"valid": false, "admin": false}';
should be
Code:
echo '{"valid": true, "admin": false}';
And the response header should be 200 not 403.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group