You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/12/07 17:31:18 UTC

[jira] Resolved: (SHIRO-115) ActiveDirectoryRealm might by vulnerable to LDAP search code injection

     [ https://issues.apache.org/jira/browse/SHIRO-115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood resolved SHIRO-115.
---------------------------------

       Resolution: Fixed
    Fix Version/s: 1.0
         Assignee: Les Hazlewood

Committed to rev. 887987.  Please test further and re-open if you see any problems.

> ActiveDirectoryRealm might by vulnerable to LDAP search code injection
> ----------------------------------------------------------------------
>
>                 Key: SHIRO-115
>                 URL: https://issues.apache.org/jira/browse/SHIRO-115
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in)
>    Affects Versions: 0.9
>            Reporter: Reiner Saddey
>            Assignee: Les Hazlewood
>            Priority: Minor
>             Fix For: 1.0
>
>
> When searching for a userName within getRoleNamesForUser, the search filter is built by inserting the literal value from userName. Two potential problems might arise: userName might contain (deliberately crafted) LDAP syntax elements that could be used to affect the search. Permissible user principal names within AD (e.g. "A(1") might be rejected due to syntax problems (even some Microsoft software packages appear to be quick-and-dirty here - see note at bottom of http://technet.microsoft.com/en-us/library/cc730634(WS.10).aspx) .
> This potential vulnerability can easily be fixed by using search parameters instead of literals  (which should be considered good style anyway). The actual chance for an exploit appears to be very remote, but hackers are so creative :-) 
> // vulnerable to injection String searchFilter = "(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))";
> // vulnerable to injection NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);
>         String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
>         Object[] searchArguments = new Object[] {userPrincipalName};
>         NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.