mod_auth_ldap and mod_auth_ldap2 from the Prosody community modules repository (prosody-modules) incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities to admin-only functionality if their username matches the username of a local admin.
mod_auth_ldap and mod_auth_ldap2 have the optional ability to grant admin access based on an LDAP filter string.
Both modules only use the ‘user’ part of the JID they are checking, which means a user of a remote server who has the same username may be inadvertently granted admin access to the server.
Prosody deployments that use mod_auth_ldap or mod_auth_ldap2 (e.g. through the configuration option authentication = "ldap") combined with any of the following options:
ldap_admin_filter (mod_auth_ldap)ldap_admins (mod_auth_ldap)admin field of the ldap configuration option (mod_auth_ldap2)If you do not use either of these LDAP modules you are not affected. If you use the LDAP modules but do not use any of the options listed here, you are also not affected (but upgrading is still recommended).
Update to the latest prosody-modules or remove the admin options listed above from your configuration file. There is no need to upgrade Prosody itself.
If you have prosody-modules downloaded through Mercurial (hg) you can run:
hg pull
hg update default
hg log -r f2b29183ef08If all these commands succeed, you are up to date. Restart Prosody after updating prosody-modules.
Users of the prosody-modules Debian package can expect an update from Debian soon.
Discovered by the Prosody team during review.