https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
Bug ID: 65224
Summary: JNDIRealm doesn't escape filters containing username
Product: Tomcat 8
Version: 8.5.65
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
Bug 23190 fixes similar issue. But the methods JNDIRealm.getUserBySearch() and
getUserByPattern() still use unescaped filters. The already available
doRFC2254Encoding() would fix the issue.
In follow use case it is even a security issue.
Tomcat runs with LockoutRealm over JNDI Realm and only one user Hugo on
configured userBase. Client can logon with Hugo/<password> as well as with
H*/<password>. It works always if ldap search returns exactly one entry for the
query.
Bad client can outflank the lockout configuration with
H*/<wrong_password1-5>, H**/<wrong_password6-10> etc.
Besides of lockout troubles, I don't think, it is acceptable to allow logon for
H* instead of real user Hugo.
The issue exists actually in all (current) tomcat versions.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
