ldap injection in the custom atlassian authentication code

XMLWordPrintable

    • Severity 3 - Minor

      NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.

      The custom atlassian ldap authentication code is vulnerable to ldap injection. The method which is vulnerable to ldap injection is the searchUser method, where the 'filter' parameter (third argument to the search_s ldap method) is passed through without using ldap.filter on it first. The code should be changed to use ldap.filter.escape_filter_chars function on the username first.

      forum_modules/atlassianauth/authentication.py


    def searchUser( self, conn, username ):
        is_staff=username.endswith( "@atlassian.com" )

        cn="cn=%s"%username
        if is_staff:
            base=settings.LDAP_STAFF_BASE.value
        else:
            base=settings.LDAP_CUSTOMER_BASE.value

        search=conn.search_s( base, ldap.SCOPE_SUBTREE, cn )
        if not search:
            raise InvalidAuthentication( _( 'Login failed; user not found. Please register at https://my.atlassian.com/' ) )
        if len( search )>1:
            raise InvalidAuthentication( _( "Found multiple users looking up %s"%username ) )

        return search[0]

      Impact :

      It is possible to brute force user names or any other LDAP fields by submitting arguments e.g. "jlargman) (| (password = 'a*' ) )", then "aa*" etc and check the type of the error returned ("user not found" vs "found multiple users" vs a different error when exactly one result is returned, not necessarily the user name).

      See https://www.owasp.org/index.php/LDAP_injection for some examples.

            Assignee:
            David Black
            Reporter:
            David Black
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: