exozyme/exozyme
7
12
Fork 0
Code Issues 4 Pull requests Projects Releases 39 Wiki Activity

LDAP server exposes too much information to an unauthenticated query #62

New issue
Closed
opened 2021-10-30 15:08:04 +00:00 by a · 2 comments
a commented 2021-10-30 15:08:04 +00:00
Owner
Copy link

Without any authentication, you can query for the usernames and some other sensitive information. Since we are also using SSH on the standard port, an attacker could brute-force a particular user that they found by doing an LDAP query.

Without any authentication, you can query for the usernames and some other sensitive information. Since we are also using SSH on the standard port, an attacker could brute-force a particular user that they found by doing an LDAP query.
a added this to the v5.0 milestone 2021-10-30 15:08:04 +00:00
a added the
security
bug
 labels 2021-10-30 15:08:04 +00:00
a self-assigned this 2021-10-30 15:08:04 +00:00
a added this to the (deleted) project 2021-10-30 15:08:04 +00:00
a commented 2021-10-30 15:15:00 +00:00
Author
Owner
Copy link

Eh, this isn't too important since a determined attacker could get the usernames using other methods. The only other "sensitive" info you can get from an unauthenticated LDAP query is their UID number and home directory, which isn't sensitive at all.

Eh, this isn't too important since a determined attacker could get the usernames using other methods. The only other "sensitive" info you can get from an unauthenticated LDAP query is their UID number and home directory, which isn't sensitive at all.
a closed this issue 2021-10-30 15:15:00 +00:00
a commented 2021-10-30 15:15:51 +00:00
Author
Owner
Copy link

While our LDAP server is exposed to the internet, I don't want to mess with LDAP configs since it works and it's probably going to break if I try to tweak things.

While our LDAP server is exposed to the internet, I don't want to mess with LDAP configs since it works and it's probably going to break if I try to tweak things.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v9.0
v8.8
v8.7
v8.6
v8.5
v8.4
v8.3
v8.2
v8.1
v8.0
v7.10
v7.9
v7.8
v7.7
v7.6
v7.5
v7.4
v7.3
v7.2
v7.1
v7.0
v6.1
v6.0
v5.1
v5.0
v4.2
v4.1
v4.0
v3.0
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.3
v1.2
v1.1
v1.0
v0.3-beta
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
security

Security vulnerability

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
v5.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
a
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#62
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?