Currently it is possible to enter LDAP wildcards/filters in the username login field and they don't get escaped. E.g. if the username is something like my.name@company.com you could just enter *name* and if LDAP returns the user as the first result you can successfully login (provided the password is correct). I think this is an security issue because there could be more elaborate things possible but i am not sure.
To fix this i added a ldap_escape() to the corresponding LDAP search. This escapes the username so it can be used in a filter without changing the intent of the filter itself. I'm not sure if there are other places this (LDAP_ESCAPE_FILTER) or an DN escape (LDAP_ESCAPE_DN) should be done.
Currently it is possible to enter LDAP wildcards/filters in the username login field and they don't get escaped. E.g. if the username is something like
my.name@company.com
you could just enter*name*
and if LDAP returns the user as the first result you can successfully login (provided the password is correct). I think this is an security issue because there could be more elaborate things possible but i am not sure.To fix this i added a
ldap_escape()
to the corresponding LDAP search. This escapes the username so it can be used in a filter without changing the intent of the filter itself. I'm not sure if there are other places this (LDAP_ESCAPE_FILTER
) or an DN escape (LDAP_ESCAPE_DN
) should be done.