Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 21 Sep 2015 12:56:55 +1000
From: David Black <dblack@...assian.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to
 ldap injection.

On 19 September 2015 at 05:08, <cve-assign@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > https://github.com/vesse/node-ldapauth-fork/issues/21
> >
> https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
>
> Use CVE-2015-7294.
>
> The existence of a fork does not, by itself, lead to use of multiple CVE
> IDs.
> The CVE ID is for the vulnerability in the shared codebase, regardless of
> the
> product names in which that codebase is used.
>
>
> https://github.com/vesse/node-ldapauth-fork/issues/21#issuecomment-108186158
> has comments from the vendor about possible mitigating factors. Given
> those comments, is the most straightforward threat that the attacker
> may be able to arrange for a search result to be exactly one username,
> and may not know the complete username in advance but may know the
> password in advance?
>

That's one option. I was actually thinking that an attacker could also
exploit this issue to extract information from ldap - provided that the
attacker knows a working username and password combination then they should
be able craft ldap queries that only match their username if an additional
search condition is met.


-- 
David Black / Security Engineer.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ