Cannot modify 'admin' user's empty password in LifeTime-managed on-prem environment

Cannot modify 'admin' user's empty password in LifeTime-managed on-prem environment

  
Apologies if I have posted this in the incorrect forum.

I have an issue with an on-premises OutSystems environment managed by LifeTime running on version 9.0.1.50 (9.0.1.50 (build 56481: tags/v9_0_1_50 @ 2016-01-06 10:49:55).

In short, the 'admin' user in LifeTime and in ServiceCenter for my dev/test/prod environments has a blank password and I am unable to change it. When I login to LifeTime with this blank password and attempt to edit the 'admin' user's password via Administrator -> My Settings, only the email address text field is editable. I cannot enter any text into the password fields.

Curiously, if I access the Users application on my LifeTime host and login as 'admin', it does not accept an empty password and instead requires the password I configured at install time, which seems like the correct and expected behavior.

If I query the ossys_user database table in my LifeTime or other environments, I can see that I have two 'admin' user accounts: the first with ID=1 and TENANT_ID=1, the second with ID=2 and TENANT_ID=13 (which corresponds to the Users app). Both of these 'admin' accounts have the exact same crypted data in the PASSWORD column in LifeTime's database; yet the Users application requires a password and the LifeTime application does not.

I would like to have the 'admin' user in LifeTime and ServiceCenter require a password as otherwise this appears extremely insecure. Can anybody offer any guidance?

Thanks!

Hi Brian,


Pretty sure it shouldn't let you enter without a password. Did you configure any external authentication providers like LDAP? (not sure if those were added in 9.0.1 or 9.1)


If you continue with the problem I recommend you to open a support ticket and get it thoubleshooted.


Regards,

João Rosado

Thank you João, I agree that it should not work like this.  I do have LDAP authentication enabled against our Active Directory system, but we have no user named 'admin' in Active Directory that it could be authenticating against. The LDAP authentication appears to be working correctly for other user accounts.

I will follow up with a support ticket. 

Cheers,
-Brian

We have same issue (9.0.1.35).  If I try to change the password for admin, I can't; the fields are read-only.  I can change other user passwords.  I can't log into Lifetime with Admin because the password is unknown.  I tried admin/admin but that didn't work. 

Brian, did you find anything out?

Thanks!
Hi David,

I filed a support case yesterday, at low priority, but I have not yet received any response. I will follow up here when I have any new information. The issue you are seeing sounds similar, with the difference that in my case I (correctly) cannot edit other users' passwords as we are authenticating them against an external auth provider.

-Brian
 
Brian Pardy wrote:
Hi David,

I filed a support case yesterday, at low priority, but I have not yet received any response. I will follow up here when I have any new information. The issue you are seeing sounds similar, with the difference that in my case I (correctly) cannot edit other users' passwords as we are authenticating them against an external auth provider.

-Brian
 
Hi Brian. 

We are not using any external providers and I don't think I've ever used the admin account.  We are in the middle of a migration and one of the steps is to ensure I can log in to LT as the admin.  Which I can't.  I look forward to hearing back when you get some news.

Thank you for your help,
Dave

Hi Dave,

After filing a support ticket, my issue is now resolved. Support provided an updated version of the LDAPAuthProvider that eliminated the ability to login as 'admin' with an empty password. They also pointed out that in my situation I needed to have my LDAPAuthProvider configured to fall back to internal OutSystems authentication when LDAP authentication failed in order to be able to login to the 'admin' user.  After checking the box in the LDAPAuthProvider configuration screen to enable fallback authentication, my 'admin' user password now works correctly.

In your case, I would suggest filing a support ticket for assistance resetting the admin user's password in LT. You (or your database administrator) may be able to directly update the admin user's hashed password in LT's ossys_users table by copying the hash from an account that you do know, but it is probably safest to pursue that with guidance from support.

Cheers,
-Brian
Hi Brian - Thank you for updating me on this and I'm glad to hear you got your issue resolved.  We hope to be using LDAP in the near future so this will come in handy. 

I'll see about opening a ticket and trying to get my issue resolved. 

Thank you again,
Dave
Solution

Hello everyone,

As João Rosado stated, the behavior originally reported here is not the intended behavior. The OutSystems Platform should not allow you to authenticate using an empty password.

What happened was that Brian (unwittingly) uncovered a security flaw in the OutSystems Platform. Please refer to this Knowledge Base article for further details, and a fix for the issue.

Best regards,

Ricardo Silva

Solution

Thank you for the follow up and communication to users, Ricardo.  It's great to see things like this fixed so quickly. Had I realized this was an issue that didn't stem from a simple misconfiguration on my side, I would have reported it in a more private setting. Please offer the team my apologies for the unintended public disclosure!


Cheers!

-Brian