[prev in list] [next in list] [prev in thread] [next in thread]
List: james-dev
Subject: [jira] [Resolved] (JAMES-2243) Encode special characters in LDAP search filter to prevent injections
From: "Antoine Duprat (JIRA)" <server-dev () james ! apache ! org>
Date: 2017-11-30 16:31:00
Message-ID: JIRA.13121605.1511950616000.356488.1512059460672 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/JAMES-2243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]
Antoine Duprat resolved JAMES-2243.
-----------------------------------
Resolution: Fixed
merged
> Encode special characters in LDAP search filter to prevent injections
> ---------------------------------------------------------------------
>
> Key: JAMES-2243
> URL: https://issues.apache.org/jira/browse/JAMES-2243
> Project: James Server
> Issue Type: Bug
> Components: data, ldap
> Affects Versions: master
> Reporter: Thibaut SAUTEREAU
> Labels: security
>
> The user-controlled "name" input is not sanitized when making LDAP searches with \
> searchAndBuildUser. This could lead to LDAP injections using special characters. \
> Possible scenario: an attacker can bruteforce password authentication without \
> needing to target a specific user of test every user. For instance, instead of \
> needing to test 1 M passwords on adupont@linagora.com and then on \
> amartin@linagora.com, he can test on a*. Then if a password matches, he can quickly \
> get to the user by dichotomy (aa*, ab*, aba*, abb*, etc.).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic