First Last Prev Next    This bug is not in your last search results.
Bug 57264 - Missing LDAP filter escaping in univention-mail-cyrus
Missing LDAP filter escaping in univention-mail-cyrus
Status: NEW
Product: UCS
Classification: Unclassified
Component: PAM
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-08 10:11 CEST by Juan Carlos
Modified: 2024-05-08 11:10 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Juan Carlos univentionstaff 2024-05-08 10:11:51 CEST 
In base/pam-univentionmailcyrus/pam_univentionmailcyrus.c:
161     rv = snprintf(filter, BUFSIZ, "(&(%s=%s)(%s=*))", fromattr, fromuser, toattr);

The filter values are not escaped.

As shown here https://forge.univention.org/bugzilla/show_bug.cgi?id=56360

>When I authenticate with an corrupted subset of an invalid LDAP filter I see in /var/log/auth.log it's used for the query: 
>> PAM('dovecot').authenticate('*)(cn=security)', 'univention')
>
>> PAM-univentionmailcyrus[19138]: Failed to query LDAP server: (&(mailPrimaryAddress=*)(cn=security))(uid=*))
First Last Prev Next    This bug is not in your last search results.