ActiveDirectoryRealm might by vulnerable to LDAP search code injection
----------------------------------------------------------------------
Key: SHIRO-115
URL: https://issues.apache.org/jira/browse/SHIRO-115
Project: Shiro
Issue Type: Bug
Components: Authentication (log-in)
Affects Versions: 1.0
Reporter: Reiner Saddey
Priority: Minor
When searching for a userName within getRoleNamesForUser, the search filter is
built by inserting the literal value from userName. Two potential problems
might arise: userName might contain (deliberately crafted) LDAP syntax elements
that could be used to affect the search. Permissible user principal names
within AD (e.g. "A(1") might be rejected due to syntax problems (even some
Microsoft software packages appear to be quick-and-dirty here - see note at
bottom of http://technet.microsoft.com/en-us/library/cc730634(WS.10).aspx) .
This potential vulnerability can easily be fixed by using search parameters
instead of literals (which should be considered good style anyway). The actual
chance for an exploit appears to be very remote, but hackers are so creative
:-)
// vulnerable to injection String searchFilter =
"(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))";
// vulnerable to injection NamingEnumeration answer =
ldapContext.search(searchBase, searchFilter, searchCtls);
String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
Object[] searchArguments = new Object[] {userPrincipalName};
NamingEnumeration answer = ldapContext.search(searchBase, searchFilter,
searchArguments, searchCtls);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
