guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Secure restful url
Date Mon, 14 Jan 2019 20:23:09 GMT
On Mon, Jan 14, 2019 at 2:44 PM sciUser <shulbert@securitycentric.net>
wrote:

> Sure,
>
> We will not be moving to 1.0.0 until its had a full 120 day dev QA, so far
> there are a lot of bugs that need to be worked out.
>
> 1. https://securitytraning.com/ldap-injection-attacks-web-for-pentester/
> 2.
>
> https://www.hackthis.co.uk/forum/hacking-security/tutorials-articles/604-ldap-injection-tutorial
> 3. https://tools.kali.org/information-gathering/enum4linux
>
>
As with many vulnerabilities, it seems like these rely on people not
writing code correctly and failing to escape items which might be
configured or input by the end-user.  Proper escaping of that code should
mitigate these attacks, no?


> I can cite a lot more, but we are running advanced security labs with tools
> that can rip a network apart if not correctly isolated.  So this is why we
> don't use LDAP which can be exploited.
>

This is, once again, a broad statement, that may or may not be true,
depending on the quality of the code that is authenticating against LDAP.
Obviously I would not recommend making an LDAP server available on the
Internet directly, nor would I recommend making web pages available with
basic code that doesn't correctly handle that escaping.  But I would feel
fairly confident in saying that not every piece of code that authenticates
against LDAP is vulnerable to LDAP Injection attacks.  It would be like
saying, "Don't write code that uses a database, because it's vulnerable to
SQL Injection attacks."

-Nick

Mime
View raw message