ldap injection in the custom atlassian authentication code

2012-07-31T09:07:05
ID ATLASSIAN:CONFCLOUD-47275
Type atlassian
Reporter dblack
Modified 2017-04-02T09:06:08

Description

{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Cloud. Using Confluence Server? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47275]. {panel}

The custom atlassian ldap authentication code is vulnerable to ldap injection. The method which is vulnerable to ldap injection is the searchUser method, where the 'filter' parameter (third argument to the search_s ldap method) is passed through without using ldap.filter on it first. The code should be changed to use ldap.filter.escape_filter_chars function on the username first.

{code} forum_modules/atlassianauth/authentication.py

def searchUser( self, conn, username ):
    is_staff=username.endswith( "@atlassian.com" )

    cn="cn=%s"%username
    if is_staff:
        base=settings.LDAP_STAFF_BASE.value
    else:
        base=settings.LDAP_CUSTOMER_BASE.value

    search=conn.search_s( base, ldap.SCOPE_SUBTREE, cn )
    if not search:
        raise InvalidAuthentication( _( 'Login failed; user not found. Please register at https://my.atlassian.com/' ) )
    if len( search )>1:
        raise InvalidAuthentication( _( "Found multiple users looking up %s"%username ) )

    return search[0]

{code}

h3. Impact :

It is possible to brute force user names or any other LDAP fields by submitting arguments e.g. "jlargman) (| (password = 'a' ) )", then "aa" etc and check the type of the error returned ("user not found" vs "found multiple users" vs a different error when exactly one result is returned, not necessarily the user name).

See https://www.owasp.org/index.php/LDAP_injection for some examples.