phpwiki-talk

[Phpwiki-talk] Warning: LDAP security problem

[Reini U. <ru...@x-...>]

If you use LDAP Auth, please see attach following patch
https://sourceforge.net/tracker/index.php?func=detail&aid=966410&group_id=6121&atid=306121

It is already in CVS and will be in the upcoming 1.3.11 release.

Simple fix for a LDAP security problem, gaining unauthorized access
as any user, supplying '*' as username, iterating over all users
until the given password matches.

This type of security issue, called "LDAP injection," is not
currently well known.  The seminal paper on the topic is at:
http://www.spidynamics.com/whitepapers/LDAPinjection.pdf

Detected by Steve Christey, MITRE

----------------------------------

In this patch I only restricted '*'.

For the future we'll have to restrict the allowed username characters 
for PassUsers, because I don't want to escape every possible special 
character for every possible auth backend and platform.

I suggest to allow only
   $userid =~ /^[\w.-@]\$?$/ and strlen($userid) < 32
which allows all alphanumeric chars, all localized word chars,
plus ".","-","@" and a trailing "$".
[a-zA-Z0-9_-.] + [äüöèéáÀ...]

Should we ould be more strict any allow only POSIX'ly correct usernames? 
There is not such an exact definition, but ...
For IMAP, POP3 and FileAuth for example.
LDAP dislikes * ! ( ) & \
File dislikes also : and names longer than 31 chars.

I'm not sure about dots (i.e. in email). Certain cmdline unix tools bark 
on dots.

adduser(8)
   It is recommended that login names contain only lowercase charac-
   ters and digits.  They may also contain uppercase characters,
   non-leading hyphens, periods, and a trailing '$'.  Login names
   may not be longer than 31 characters (see BUGS section of
   setlogin(2)).

What about Samba, POSIX ACL's?
I have to check http://www.wlug.org.nz/SambaNotes AND 
http://www.wlug.org.nz/LDAPAuthentication

I also learned that with HttpAuth usernames are NOT case-sensitive.
(not yet checked if it affects us)
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/

Re: [Phpwiki-talk] Warning: LDAP security problem

[Reini U. <ru...@x-...>]

Reini Urban schrieb:
> In this patch I only restricted '*'.
> 
> For the future we'll have to restrict the allowed username characters 
> for PassUsers, because I don't want to escape every possible special 
> character for every possible auth backend and platform.
> 
> I suggest to allow only
>   $userid =~ /^[\w.-@]\$?$/ and strlen($userid) < 32

I forced now this username in current CVS:
   $userid =~ /^[\w\.\-@]+$/ and strlen($userid) < 32
trailing "$" not.

> which allows all alphanumeric chars, all localized word chars,
> plus ".","-","@" and a trailing "$".
> [a-zA-Z0-9_-.] + [äüöèéáÀ...]
> 
> Should we ould be more strict any allow only POSIX'ly correct usernames? 
> There is not such an exact definition, but ...
> For IMAP, POP3 and FileAuth for example.
> LDAP dislikes * ! ( ) & \
> File dislikes also : and names longer than 31 chars.
> 
> I'm not sure about dots (i.e. in email). Certain cmdline unix tools bark 
> on dots.
> 
> adduser(8)
>   It is recommended that login names contain only lowercase charac-
>   ters and digits.  They may also contain uppercase characters,
>   non-leading hyphens, periods, and a trailing '$'.  Login names
>   may not be longer than 31 characters (see BUGS section of
>   setlogin(2)).
> 
> What about Samba, POSIX ACL's?
> I have to check http://www.wlug.org.nz/SambaNotes AND 
> http://www.wlug.org.nz/LDAPAuthentication
> 
> I also learned that with HttpAuth usernames are NOT case-sensitive.
> (not yet checked if it affects us)

Fixed it.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/