Closed valodzka closed 2 years ago
Hi @valodzka - Thanks for reaching out. I was the engineering working on the Blog post about the risk mitigation. We are aware of this issue and we are scheduling a new release of this reference implementation that will escape the username sent by the user.
The Mailbox should work I have just sent a test email from my external mailbox. If you have any further information / details feel free to share them directly with my t.stark[at]f5[dot]com.
@tippexs I forwarded bounce email to you.
@valodzka I have created a PR #96 to address this issue.
Done - Closing the issue now
Using simple python formatting for X-Ldap-Template and user input opens the door to ldap query injection attacks. For example:
Then passing username:
x))((cn=username
bypass group check.I reopening this because I don't think #93 was fixed and email security-alerts@nginx.org don't work