Osticket: AD auth won't work for usernames with only number

Created on 24 Jan 2014 · 7Comments · Source: osTicket/osTicket

Active Directory authentication is not working if staff's usename does not contain any alphabets. We have some staff who's username is just 3 digit numbers. They are not being authenticated.

Source

dbinoj

Most helpful comment

i write this solution in include/class.staff.php file replacing static function lookup (line 759):

/**** Static functions ********/
    static function lookup($var) {
        if (is_array($var))
            return parent::lookup($var);
        elseif (is_numeric($var)){
            $id = parent::lookup(array('staff_id'=>$var));
            if (is_null($id))
                return parent::lookup(array('username'=>$var));
            else
                return $id;
        }
        elseif (Validator::is_email($var))
            return parent::lookup(array('email'=>$var));
        elseif (is_string($var))
            return parent::lookup(array('username'=>$var));
        else
            return null;
    }

We must consider that it can generate security problems if the stuff_id is similar to usernames.
But there should be no problems if the number of digits of the usernames are large.

barct on 10 Sep 2018

👍3

All 7 comments

osTicket considers numeric values passed to the Staff constructor to be the internal ID numbers. You could try removing lines 52-53 in include/class.staff.php

    if (is_numeric($var))
         $sql .= 'staff_id='.db_input($var);

and change line 54 to

        if (Validator::is_email($var))

and see if that fixes things

greezybacon on 24 Jan 2014

👍1

It fixes things up! Thanks!

dbinoj on 25 Jan 2014

It opens up a new problem. I'm not able to edit staff members!

dbinoj on 25 Jan 2014

Also, I'm not able to assign tickets to staff. I guess its because $staff=Staff::lookup($staff) in function assignToStaff fails in class.ticket.php because we commented out the is_numeric condition.

dbinoj on 25 Jan 2014

I've modded a part of function load($vars='') in class.staff.php. This fixes the issue.

        $sql='SELECT staff.created as added, grp.*, staff.* '
            .' FROM '.STAFF_TABLE.' staff '
            .' LEFT JOIN '.GROUP_TABLE.' grp ON(grp.group_id=staff.group_id)
               WHERE ';
        if (is_numeric($var))
            $sql .= 'staff_id='.db_input($var);
        elseif (Validator::is_email($var))
            $sql .= 'email='.db_input($var);
        else
            $sql .= 'username='.db_input($var);

        if(!($res=db_query($sql)) || !db_num_rows($res))
        {
                $sql='SELECT staff.created as added, grp.*, staff.* '
                    .' FROM '.STAFF_TABLE.' staff '
                    .' LEFT JOIN '.GROUP_TABLE.' grp ON(grp.group_id=staff.group_id)
                       WHERE ';
                    $sql .= 'username='.db_input($var);
                if(!($res=db_query($sql)) || !db_num_rows($res))
                        return NULL;
        }

dbinoj on 25 Jan 2014

Maybe y'all could try #2393

greezybacon on 11 Aug 2015

i write this solution in include/class.staff.php file replacing static function lookup (line 759):

/**** Static functions ********/
    static function lookup($var) {
        if (is_array($var))
            return parent::lookup($var);
        elseif (is_numeric($var)){
            $id = parent::lookup(array('staff_id'=>$var));
            if (is_null($id))
                return parent::lookup(array('username'=>$var));
            else
                return $id;
        }
        elseif (Validator::is_email($var))
            return parent::lookup(array('email'=>$var));
        elseif (is_string($var))
            return parent::lookup(array('username'=>$var));
        else
            return null;
    }

We must consider that it can generate security problems if the stuff_id is similar to usernames.
But there should be no problems if the number of digits of the usernames are large.

barct on 10 Sep 2018

👍3

Was this page helpful?

0 / 5 - 0 ratings