Wildcard Injection - Frontend and Backend Login

xperseguers / t3ext-ig_ldap_sso_auth

TYPO3 Extension ig_ldap_sso_auth. This extension provides LDAP and SSO support for TYPO3.

https://extensions.typo3.org/extension/ig_ldap_sso_auth

27 stars 62 forks source link

Wildcard Injection - Frontend and Backend Login #117

Closed stephanederer closed 3 years ago

stephanederer commented 3 years ago

It's not possible to validate username. LDAP-Login with asterisk, e.g. "myuser*ame" is possible, which enables wildcard injections. LDAP injection is maybe also possible.

xperseguers commented 3 years ago

Please describe a bit more what you mean, thanks.

stephanederer commented 3 years ago

vgl. #126

xperseguers commented 3 years ago

Fixed with corresponding commit (but did not include a reference to this ticket so not closed automatically).