Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-115

ActiveDirectoryRealm might by vulnerable to LDAP search code injection

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 0.9
    • Fix Version/s: 1.0.0
    • Labels:
      None

      Description

      When searching for a userName within getRoleNamesForUser, the search filter is built by inserting the literal value from userName. Two potential problems might arise: userName might contain (deliberately crafted) LDAP syntax elements that could be used to affect the search. Permissible user principal names within AD (e.g. "A(1") might be rejected due to syntax problems (even some Microsoft software packages appear to be quick-and-dirty here - see note at bottom of http://technet.microsoft.com/en-us/library/cc730634(WS.10).aspx) .

      This potential vulnerability can easily be fixed by using search parameters instead of literals (which should be considered good style anyway). The actual chance for an exploit appears to be very remote, but hackers are so creative

      // vulnerable to injection String searchFilter = "(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))";
      // vulnerable to injection NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);

      String searchFilter = "(&(objectClass=*)(userPrincipalName=

      {0}

      ))";
      Object[] searchArguments = new Object[]

      {userPrincipalName}

      ;
      NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);

        Attachments

          Activity

            People

            • Assignee:
              lhazlewood Les Hazlewood
              Reporter:
              rsaddey Reiner Saddey
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: