[dokuwiki] Re: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication

  • From: Christopher Smith <chris@xxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Fri, 19 Sep 2014 14:06:59 +0100

On 18 Sep 2014, at 19:10, Andreas Gohr <andi@xxxxxxxxxxxxxx> wrote:

> Hi *,
> I recently got the message below which seems to point to a security
> flaw in relation to LDAP/AD authentications. It's a long mail and I'm
> not 100% sure I understood it correctly. But it seems there's a way to
> a) zero out a password, switching the login to an unauthenticated one
> b) zero out user and password, switching the login to an anonymous one
> I think the correct way to fix this is removing zero bytes from the
> affected strings. I could implement that in various places and I
> wonder what would be the best:
> 1) in the LDAP and AD auth plugins
> 2) in the auth handling (thus applying to all auth plugins)
> 3) in $INPUT filtering all GET and POST vars always
> I am leaning towards 3) but there might be a reasonable case where you
> might want to post a zero byte?
> I am also not sure about the severity of the bug and would like to get
> your input on that.
> Andi

I lean towards implementing a fix in (2).  Good defensive programming would 
suggest its implemented in (1) no matter, and that the LDAP/AD plugins query to 
discover the type of the bind (I have no idea if that is possible, efficient or 

I feel it should be possible to send any data via POST.  Personally, I don't 
think it would be bad to extend $INPUT int and str methods to support min/max 
(int) and regex (str).  A default regex for str could be to exclude 
non-printable ascii chars.

- Chris

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Other related posts: