You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/04/08 14:38:11 UTC

[Bug 65224] New: JNDIRealm doesn't escape filters containing username

https://bz.apache.org/bugzilla/show_bug.cgi?id=65224

            Bug ID: 65224
           Summary: JNDIRealm doesn't escape filters containing username
           Product: Tomcat 8
           Version: 8.5.65
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: ilja.farber@sap.com
  Target Milestone: ----

Bug 23190 fixes similar issue. But the methods JNDIRealm.getUserBySearch() and
getUserByPattern() still use unescaped filters. The already available
doRFC2254Encoding() would fix the issue.


In follow use case it is even a security issue. 
Tomcat runs with LockoutRealm over JNDI Realm and only one user Hugo on
configured userBase. Client can logon with Hugo/<password> as well as with
H*/<password>. It works always if ldap search returns exactly one entry for the
query.

Bad client can outflank the lockout configuration with
H*/<wrong_password1-5>, H**/<wrong_password6-10> etc. 

Besides of lockout troubles, I don't think, it is acceptable to allow logon for
H* instead of real user Hugo.

The issue exists actually in all (current) tomcat versions.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65224] JNDIRealm doesn't escape filters containing username

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65224

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- 10.0.x for 10.0.6 onwards
- 9.0.x for 9.0.46 onwards
- 8.5.x for 8.5.66 onwards
- 7.0.x for 7.0.109 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org