Menu
▾
▴
[Phpwiki-talk] Warning: LDAP security problem
|
From: Reini U. <ru...@x-...> - 2004-06-04 10:48:20
|
If you use LDAP Auth, please see attach following patch https://sourceforge.net/tracker/index.php?func=detail&aid=966410&group_id=6121&atid=306121 It is already in CVS and will be in the upcoming 1.3.11 release. Simple fix for a LDAP security problem, gaining unauthorized access as any user, supplying '*' as username, iterating over all users until the given password matches. This type of security issue, called "LDAP injection," is not currently well known. The seminal paper on the topic is at: http://www.spidynamics.com/whitepapers/LDAPinjection.pdf Detected by Steve Christey, MITRE ---------------------------------- In this patch I only restricted '*'. For the future we'll have to restrict the allowed username characters for PassUsers, because I don't want to escape every possible special character for every possible auth backend and platform. I suggest to allow only $userid =~ /^[\w.-@]\$?$/ and strlen($userid) < 32 which allows all alphanumeric chars, all localized word chars, plus ".","-","@" and a trailing "$". [a-zA-Z0-9_-.] + [äüöèéáÀ...] Should we ould be more strict any allow only POSIX'ly correct usernames? There is not such an exact definition, but ... For IMAP, POP3 and FileAuth for example. LDAP dislikes * ! ( ) & \ File dislikes also : and names longer than 31 chars. I'm not sure about dots (i.e. in email). Certain cmdline unix tools bark on dots. adduser(8) It is recommended that login names contain only lowercase charac- ters and digits. They may also contain uppercase characters, non-leading hyphens, periods, and a trailing '$'. Login names may not be longer than 31 characters (see BUGS section of setlogin(2)). What about Samba, POSIX ACL's? I have to check http://www.wlug.org.nz/SambaNotes AND http://www.wlug.org.nz/LDAPAuthentication I also learned that with HttpAuth usernames are NOT case-sensitive. (not yet checked if it affects us) -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
