[JAMES-2243] Encode special characters in LDAP search filter to prevent injections - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: master
Fix Version/s: None
Component/s: data, ldap
Labels:
- security

Description

The user-controlled "name" input is not sanitized when making LDAP searches with searchAndBuildUser. This could lead to LDAP injections using special characters.

Possible scenario: an attacker can bruteforce password authentication without needing to target a specific user of test every user. For instance, instead of needing to test 1 M passwords on adupont@linagora.com and then on amartin@linagora.com, he can test on a*. Then if a password matches, he can quickly get to the user by dichotomy (aa*, ab*, aba*, abb*, etc.).

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Thibaut SAUTEREAU

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 29/Nov/17 10:16

Updated:: 30/Nov/17 16:30

Resolved:: 30/Nov/17 16:30