Query inject attack / security vulnerability

nginxinc / nginx-ldap-auth

Example of LDAP authentication using ngx_http_auth_request_module

BSD 2-Clause "Simplified" License

678 stars 202 forks source link

Query inject attack / security vulnerability #93

Closed valodzka closed 2 years ago

valodzka commented 2 years ago

Using simple python formatting for X-Ldap-Template and user input opens the door to ldap query injection attacks. For example:

X-Ldap-Template: (|(&(memberOf=x)(cn=%(username)s))(&(memberOf=y)(cn=%(username)s)))

Then passing username: x))((cn=username bypass group check.

agileknight commented 2 years ago

This might help to improve the implementation: https://rules.sonarsource.com/python/RSPEC-2078 Until the code is improved, if I'm not mistaken, using a Query like this should improve the situation: X-Ldap-Template: (&(cn=%(username)s)(|(memberOf=x)(memberOf=y)))

lcrilly commented 2 years ago

Thanks! Addressed with https://github.com/nginxinc/nginx-ldap-auth/commit/763f23b29785d96dc2dafbc68524b393eef212f6

For future reference, please direct security issues to security-alerts@nginx.org

marco-silva0000 commented 2 years ago

I don't understand how that commit addresses the issue.

Will there be a release tag with this included?

valodzka commented 2 years ago

I also don't see how it was fixed.

valodzka commented 2 years ago

Also emails returns:

450 4.1.1 <[security-alerts@nginx.org](mailto:security-alerts@nginx.org)>: Recipient address rejected: User unknown in virtual mailbox table