[dokuwiki] Re: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication

From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
To: DokuWiki Mailinglist <dokuwiki@xxxxxxxxxxxxx>
Date: Tue, 23 Sep 2014 20:24:57 +0200

>> I think the correct way to fix this is removing zero bytes from the
>> affected strings. I could implement that in various places and I
>> wonder what would be the best:
>>
>> 1) in the LDAP and AD auth plugins
>> 2) in the auth handling (thus applying to all auth plugins)
>> 3) in $INPUT filtering all GET and POST vars always
>
> I lean towards implementing a fix in (2).  Good defensive programming would 
> suggest its implemented in (1) no matter, and that the LDAP/AD plugins query 
> to discover the type of the bind (I have no idea if that is possible, 
> efficient or reasonable).

I don't think LDAP can discover the type of bind. It's success or
failure only, the type is determined by the type of credentials.
Anyway I implemented it in 2) here:
https://github.com/splitbrain/dokuwiki/pull/868

I also added a filter mechanism to the $INPUT class here:
https://github.com/splitbrain/dokuwiki/pull/869

I'd appreciate a quick feedback on both. I guess we should also issue
a hotfix release.

Andi

-- 
splitbrain.org
-- 
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

Follow-Ups:
- [dokuwiki] Re: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication
  - From: Anika Henke

References:
- [dokuwiki] Fwd: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication
  - From: Andreas Gohr
- [dokuwiki] Re: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication
  - From: Christopher Smith

[dokuwiki] Re: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication

Other related posts: