New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable to ldap injection #21
Comments
|
Seems true to some extent, although the parameter is used only in search, the search fails if the result size is not one, and the search result together with provided password needs to successfully bind before the resulting object is returned to caller. Nevertheless I'll see if I find a good source on what characters (in addition to obvious *, |, and parentheses) need to be escaped. |
|
@vesse rfc4515 section 3, https://tools.ietf.org/search/rfc4515#section-3 states the following:
|
The username is not filtered as per ldap specifications so the code seems to be vulnerable to ldap injection: https://www.owasp.org/index.php/LDAP_injection
The text was updated successfully, but these errors were encountered: