[ https://issues.apache.org/jira/browse/JAMES-2243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antoine Duprat resolved JAMES-2243. ----------------------------------- Resolution: Fixed merged > Encode special characters in LDAP search filter to prevent injections > --------------------------------------------------------------------- > > Key: JAMES-2243 > URL: https://issues.apache.org/jira/browse/JAMES-2243 > Project: James Server > Issue Type: Bug > Components: data, ldap > Affects Versions: master > Reporter: Thibaut SAUTEREAU > Labels: security > > The user-controlled "name" input is not sanitized when making LDAP searches > with searchAndBuildUser. This could lead to LDAP injections using special > characters. > Possible scenario: an attacker can bruteforce password authentication without > needing to target a specific user of test every user. For instance, instead > of needing to test 1 M passwords on adup...@linagora.com and then on > amar...@linagora.com, he can test on a*. Then if a password matches, he can > quickly get to the user by dichotomy (aa*, ab*, aba*, abb*, etc.). -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org