On 18 Sep 2014, at 19:10, Andreas Gohr <andi@xxxxxxxxxxxxxx> wrote: > Hi *, > > I recently got the message below which seems to point to a security > flaw in relation to LDAP/AD authentications. It's a long mail and I'm > not 100% sure I understood it correctly. But it seems there's a way to > > a) zero out a password, switching the login to an unauthenticated one > b) zero out user and password, switching the login to an anonymous one > > I think the correct way to fix this is removing zero bytes from the > affected strings. I could implement that in various places and I > wonder what would be the best: > > 1) in the LDAP and AD auth plugins > 2) in the auth handling (thus applying to all auth plugins) > 3) in $INPUT filtering all GET and POST vars always > > I am leaning towards 3) but there might be a reasonable case where you > might want to post a zero byte? > > I am also not sure about the severity of the bug and would like to get > your input on that. > > Andi > > I lean towards implementing a fix in (2). Good defensive programming would suggest its implemented in (1) no matter, and that the LDAP/AD plugins query to discover the type of the bind (I have no idea if that is possible, efficient or reasonable). I feel it should be possible to send any data via POST. Personally, I don't think it would be bad to extend $INPUT int and str methods to support min/max (int) and regex (str). A default regex for str could be to exclude non-printable ascii chars. - Chris
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
