Closed
Bug 785470
(CVE-2012-3981)
Opened 12 years ago
Closed 12 years ago
[SECURITY] Missing escaping of the username can lead to LDAP injection
Categories
(Bugzilla :: User Accounts, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: LpSolit, Assigned: reed)
References
Details
Attachments
(1 file, 1 obsolete file)
643 bytes,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
When the user enters his credentials, no sanity check is done and his username is passed as is to create the filter which will be passed to $self->ldap->search(), see Bugzilla::Auth::Verify::LDAP::_bz_search_params(). This can lead to LDAP injection, as exploited successfully in bug 785112. The username must be escaped, e.g. by using Net::LDAP::Util::escape_filter_value(). This problem exists since LDAP authentication has been implemented in Bugzilla 2.12, see bug 51185.
Flags: blocking4.4+
Flags: blocking4.2.3+
Flags: blocking4.0.8+
Flags: blocking3.6.11+
Assignee | ||
Comment 1•12 years ago
|
||
something like this? :)
Attachment #655094 -
Flags: review?(LpSolit)
Reporter | ||
Comment 2•12 years ago
|
||
Comment on attachment 655094 [details] [diff] [review] patch - v1 (untested) >- . "=$username)" >+ . '=' . escape_filter_value($username) . ')' Nit: instead of this, we could write: $username = escape_filter_value($username); before building the filter. The code would be easier to parse. Anyway, I had the same fix in mind, so r=LpSolit from a code point of view, but I'm totally unable to test this patch as I have no LDAP installation to play with. So before being checked in, it needs to be tested (we cannot afford to break LDAP authentication on branches).
Attachment #655094 -
Flags: review?(LpSolit)
Attachment #655094 -
Flags: review?
Attachment #655094 -
Flags: review+
Reporter | ||
Updated•12 years ago
|
Assignee: user-accounts → reed
Status: NEW → ASSIGNED
Reporter | ||
Comment 3•12 years ago
|
||
CC'ing our LDAP guru. :) manu, could you look at the patch, please?
Comment 4•12 years ago
|
||
I've tested the patch and it doesn't break LDAP authentification (mine, at least). Like LpSolit, I'm far more partiel to adding: $username = escape_filter_value($username); before the return call. It's much more readable that way.
Reporter | ||
Comment 5•12 years ago
|
||
Comment on attachment 655094 [details] [diff] [review] patch - v1 (untested) OK, manu's testing is enough for me. No need for another review. Thanks, manu! :)
Attachment #655094 -
Flags: review?
Reporter | ||
Comment 6•12 years ago
|
||
reed, we need a CVE number for this one.
Flags: approval?
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
Updated•12 years ago
|
Summary: [SECURITY] Missing escaping of the username can lead to LDAP injection → (CVE-2012-3981)[SECURITY] Missing escaping of the username can lead to LDAP injection
Assignee | ||
Updated•12 years ago
|
Alias: CVE-2012-3981
Summary: (CVE-2012-3981)[SECURITY] Missing escaping of the username can lead to LDAP injection → [SECURITY] Missing escaping of the username can lead to LDAP injection
Assignee | ||
Comment 7•12 years ago
|
||
For check-in.
Attachment #655094 -
Attachment is obsolete: true
Attachment #656030 -
Flags: review?(LpSolit)
Assignee | ||
Updated•12 years ago
|
Attachment #656030 -
Attachment is patch: true
Comment 8•12 years ago
|
||
I've discussed this a bit with LpSolit and I don't how this allows you to inject data into the LDAP directory. At best, you can probably invalid the filter that the Bugzilla administrator put in place but that's a stretch and you'll still need the password of an account to login.
Alias: CVE-2012-3981
Updated•12 years ago
|
Alias: CVE-2012-3981
Reporter | ||
Comment 9•12 years ago
|
||
Comment on attachment 656030 [details] [diff] [review] patch - v2 r=LpSolit
Attachment #656030 -
Flags: review?(LpSolit) → review+
Reporter | ||
Updated•12 years ago
|
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
Reporter | ||
Comment 10•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/Auth/Verify/LDAP.pm Committed revision 8370. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified Bugzilla/Auth/Verify/LDAP.pm Committed revision 8132. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified Bugzilla/Auth/Verify/LDAP.pm Committed revision 7721. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/ modified Bugzilla/Auth/Verify/LDAP.pm Committed revision 7297.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•