james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antoine Duprat (JIRA)" <server-...@james.apache.org>
Subject [jira] [Resolved] (JAMES-2243) Encode special characters in LDAP search filter to prevent injections
Date Thu, 30 Nov 2017 16:31:00 GMT

     [ https://issues.apache.org/jira/browse/JAMES-2243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Antoine Duprat resolved JAMES-2243.
-----------------------------------
    Resolution: Fixed

merged

> Encode special characters in LDAP search filter to prevent injections
> ---------------------------------------------------------------------
>
>                 Key: JAMES-2243
>                 URL: https://issues.apache.org/jira/browse/JAMES-2243
>             Project: James Server
>          Issue Type: Bug
>          Components: data, ldap
>    Affects Versions: master
>            Reporter: Thibaut SAUTEREAU
>              Labels: security
>
> The user-controlled "name" input is not sanitized when making LDAP searches with searchAndBuildUser.
This could lead to LDAP injections using special characters.
> Possible scenario: an attacker can bruteforce password authentication without needing
to target a specific user of test every user. For instance, instead of needing to test 1 M
passwords on adupont@linagora.com and then on amartin@linagora.com, he can test on a*. Then
if a password matches, he can quickly get to the user by dichotomy (aa*, ab*, aba*, abb*,
etc.).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message