Query inject attack / security vulnerability

Question

Query inject attack / security vulnerability

valodzka opened this issue 3 years ago · 4 comments

Using simple python formatting for X-Ldap-Template and user input opens the door to ldap query injection attacks. For example:

X-Ldap-Template: (|(&(memberOf=x)(cn=%(username)s))(&(memberOf=y)(cn=%(username)s)))

Then passing username: x))((cn=username bypass group check.

I reopening this because I don't think #93 was fixed and email security-alerts@nginx.org don't work

Answer 1 · 2022-04-15T18:37:55.000Z

Hi @valodzka - Thanks for reaching out. I was the engineering working on the Blog post about the risk mitigation. We are aware of this issue and we are scheduling a new release of this reference implementation that will escape the username sent by the user.

The Mailbox should work I have just sent a test email from my external mailbox. If you have any further information / details feel free to share them directly with my t.stark[at]f5[dot]com.

Answer 2 · 2022-04-15T19:57:52.000Z

@tippexs I forwarded bounce email to you.

Answer 3 · 2022-04-17T20:51:59.000Z

@valodzka I have created a PR #96 to address this issue.

Answer 4 · 2022-04-19T08:35:34.000Z

Done - Closing the issue now