Thibaut SAUTEREAU created JAMES-2243:
----------------------------------------
Summary: Encode special characters in LDAP search filter to
prevent injections
Key: JAMES-2243
URL: https://issues.apache.org/jira/browse/JAMES-2243
Project: James Server
Issue Type: Bug
Components: data, ldap
Affects Versions: master
Reporter: Thibaut SAUTEREAU
The user-controlled "name" input is not sanitized when making LDAP searches
with searchAndBuildUser. This could lead to LDAP injections using special
characters.
Possible scenario: an attacker can bruteforce password authentication without
needing to target a specific user of test every user. For instance, instead of
needing to test 1 M passwords on adup...@linagora.com and then on
amar...@linagora.com, he can test on a*. Then if a password matches, he can
quickly get to the user by dichotomy (aa*, ab*, aba*, abb*, etc.).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
