directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johan Bergman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSERVER-1259) Make the userPassword not searchable from the outside
Date Mon, 05 May 2014 01:31:16 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13989232#comment-13989232
] 

Johan Bergman commented on DIRSERVER-1259:
------------------------------------------

Hi, where are you guys in this issue? Our Sonatype CLM scans are still finding this vulnerability
in the latest version (2.0.0-M16)

> Make the userPassword not searchable from the outside
> -----------------------------------------------------
>
>                 Key: DIRSERVER-1259
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1259
>             Project: Directory ApacheDS
>          Issue Type: New Feature
>    Affects Versions: 1.5.4
>            Reporter: Emmanuel Lecharny
>             Fix For: 2.0.0-RC1
>
>
> The userPassword attribute should not be searchable by default. More specifically, it
should not be a part of any filter, as it may be a security breach (imagine you use something
like (&(cn=foo)(userPassword > a)(userPassword < c)), you can easily find the password
in a very simple way...)



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message