search

ltb-project / self-service-password

Web interface to change and reset password in an LDAP directory
https://self-service-password.readthedocs.io/en/latest/
GNU General Public License v3.0
1.16k stars 325 forks source link

Problem with 1.1 #153

Closed cfasnacht closed 6 years ago

cfasnacht commented 7 years ago

Hi I updated to version 1.1 all seems to work fine, I enter the old, new passwords, fill out the captscha. The new site loads and only shows Self service password in a green background. But the password is not changed. The only log enty I see is: x.x.x.x - - [05/Oct/2017:10:41:35 +0200] "POST / HTTP/1.1" 500 1049 "https://passwd.x.x/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0" 0 747912 Thanks Christian

plewin commented 7 years ago

Hi @cfasnacht, have you activated $debug = true to have more log entries ?

cfasnacht commented 7 years ago

I have already activated debug in the output above with: $debug = true;

plewin commented 7 years ago

Hum, it is very strange that there is a 500 without details on the error.

On what platform are you ? Are you using the rpm packages on a centos ?

Also can you please provide a copy of the page source code when your problem appears. It will help me guess approximately where your problem is located in the code. Reproduce the bug -> Control + U to show the page source -> Control + A to select all -> Copy -> Paste in Gist https://gist.github.com/ & create secret gist -> Copy the link here

cfasnacht commented 7 years ago

I use Centos 6.9 with this rpm: https://ltb-project.org/rpm/6/noarch/self-service-password-1.1-1.el6.noarch.rpm Page source is here: https://gist.github.com/cfasnacht/9862b87b689f69871b2379c71cddf0ff

plewin commented 7 years ago

Hum, you are upgrading from 0.9 right ?

Can you try to disable the captcha and try again to see if the problem comes from the captcha feature ? $use_recaptcha = false;

Also, Are you using the new $recaptcha_request_method option to solve your previous issue https://github.com/ltb-project/self-service-password/issues/145 ?

cfasnacht commented 7 years ago

You are right I indeed updated from 0.9.1 and I have the same issue with captschas disabled, do you have an idea what the problem could be?

plewin commented 7 years ago

Unfortunately I have no idea why you get an error and why there is no log while $debug = true. I hoped it was because of the captcha feature because there is very little changes in code between 0.9 and 1.1 when changing a password using the standard form, except for the captcha.

You would mind posting your config.inc.php in a secret gist and post the link here so I can review it and use it to try to reproduce the issue ? Please change/erase the values of $ldap_bindpw, $keyphrase, $recaptcha_privatekey before posting it.

Also to reproduce the issue, I need more details on your php environment.

Create this file \usr\share\self-service-password\info.php with this content <?php phpinfo(); ?> Go to your usual url for self service password + /info.php instead of /index.php then Ctrl + A to select all, copy and paste in an other gist and post the link here please

cfasnacht commented 7 years ago

https://gist.github.com/cfasnacht/d4d03c1277a1811c34981fca99af8965 Everything I changed I replaced with xxx, so you can I easly see what modified. Thanks a lot for the awesome support!

BTW: I don't use a bind user because I allow anonymous bind. Which I guess is quite special, but at least with 0.9 it worked like a charm.

plewin commented 7 years ago

I reproduced a similar issue, can you please, install mcrypt + restart httpd and retry :

sudo yum install mcrypt
sudo service httpd restart

if it still does not work, can you please post in a gist your phpinfo details see my previous comment how to https://github.com/ltb-project/self-service-password/issues/153#issuecomment-334435995

cfasnacht commented 7 years ago

It still does not work with mcrypt installed. The info.php page that is returned is empty. The error in the log file is: script '/usr/share/self-service-password/info.php' not found or unable to stat The file exists with the following permissions: ll /usr/share/self-service-password/info.php -rw-r--r-- 1 apache apache 20 5. Okt 17:18 /usr/share/self-service-password/info.php

cat /usr/share/self-service-password/info.php

<?php phpinfo(); ?>

plewin commented 7 years ago

Hi @cfasnacht,

Your apache is scrict with the script's permissions.

chmod +x /usr/share/self-service-password/info.php

should solve the "not found or unable to stat" problem

cfasnacht commented 7 years ago

-rwxr-xr-x 1 apache apache 20 12. Okt 14:32 /usr/share/self-service-password/info.php cat /usr/share/self-service-password/info.php <?php phpinfo(); ?>

log: [12/Oct/2017:14:46:46 +0200] "GET /info.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0" 0 25690 There is no longer an error but apache returns an empty page.

plewin commented 7 years ago

I believe but I am not sure that your php settings were fortified for maximum security and that is the reason we have so much trouble making SSP working for you. (And also that is why you had your previous problem with the captcha and allow_url_fopen.)

The small phpinfo script is failing, meaning that some php functions are blacklisted (disable_functions is configured in php) because they are sensitive. Also there is no warning, meaning that errors are not displayed by default or they are logged somewhere else, perhaps.

A priori, we can't help you making ssp work for you because of your current php settings.

I see 2 things we can do from here :

1) Backup and reconfigure your /etc/php.ini (perhaps also some /etc/php.d/) with default / stock distro config file to see if SSP works and then update the php.ini again to reapply the security changes previously made from the backup until SSP breaks. Note : Apache must be restarted each time there is a change in /etc/php.ini 2) Post a copy of your /etc/php.ini and (cat /etc/php.d/) in a gist and we will able to tell you what in your config breaks ssp.

cfasnacht commented 6 years ago

You are write:

/etc/php.ini

disable_functions = "phpinfo, pcntl_exec, show_source"

I commented out this line, here is the info.php site: https://gist.github.com/cfasnacht/c605a3f76acecae482e6e2a20d142b23

With the self service password I still have the same issue

Again thanks for your help! :-)

plewin commented 6 years ago

Outch,

Your installation use php 5.3. We do not test on this version anymore, we test starting from 5.4. I am not sure that SSP 1.1 is compatible with php 5.3. I think so because the changes breaking compatibility with 5.3 were postponed to SSP 1.2. but it is possible that we left a piece of code breaking with php 5.3.

I recommend you to upgrade your php version. https://secure.php.net/supported-versions.php

According to your phpinfo details, your log file is located at /var/log/httpd/php5.log With $debug = true, you should see an the error at the end of the file. I guess a "syntax error" or "undefined function" confirming a php compatibility problem.

plewin commented 6 years ago

Hi @cfasnacht , do you still need assistance ?

plewin commented 6 years ago

I am closing this thread because of inactivity. Please reopen it, or a new one, if you still need assistance.

cfasnacht commented 6 years ago

We moved this to CentOS 7.4 with Php 5.4, now everything works! Thanks!