You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Thibaut SAUTEREAU (JIRA)" <se...@james.apache.org> on 2017/11/29 10:17:00 UTC

[jira] [Created] (JAMES-2243) Encode special characters in LDAP search filter to prevent injections

Thibaut SAUTEREAU created JAMES-2243:
----------------------------------------

             Summary: Encode special characters in LDAP search filter to prevent injections
                 Key: JAMES-2243
                 URL: https://issues.apache.org/jira/browse/JAMES-2243
             Project: James Server
          Issue Type: Bug
          Components: data, ldap
    Affects Versions: master
            Reporter: Thibaut SAUTEREAU


The user-controlled "name" input is not sanitized when making LDAP searches with searchAndBuildUser. This could lead to LDAP injections using special characters.

Possible scenario: an attacker can bruteforce password authentication without needing to target a specific user of test every user. For instance, instead of needing to test 1 M passwords on adupont@linagora.com and then on amartin@linagora.com, he can test on a*. Then if a password matches, he can quickly get to the user by dichotomy (aa*, ab*, aba*, abb*, etc.).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org