Query inject attack / security vulnerability

nginxinc / nginx-ldap-auth

Example of LDAP authentication using ngx_http_auth_request_module

BSD 2-Clause "Simplified" License

678 stars 202 forks source link

Query inject attack / security vulnerability #95

Closed valodzka closed 2 years ago

valodzka commented 2 years ago

Using simple python formatting for X-Ldap-Template and user input opens the door to ldap query injection attacks. For example:

X-Ldap-Template: (|(&(memberOf=x)(cn=%(username)s))(&(memberOf=y)(cn=%(username)s)))

Then passing username: x))((cn=username bypass group check.

I reopening this because I don't think #93 was fixed and email security-alerts@nginx.org don't work

tippexs commented 2 years ago

Hi @valodzka - Thanks for reaching out. I was the engineering working on the Blog post about the risk mitigation. We are aware of this issue and we are scheduling a new release of this reference implementation that will escape the username sent by the user.

The Mailbox should work I have just sent a test email from my external mailbox. If you have any further information / details feel free to share them directly with my t.stark[at]f5[dot]com.

valodzka commented 2 years ago

@tippexs I forwarded bounce email to you.

tippexs commented 2 years ago

@valodzka I have created a PR #96 to address this issue.

tippexs commented 2 years ago

Done - Closing the issue now