guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: Secure restful url
Date Mon, 14 Jan 2019 20:35:22 GMT
On Mon, Jan 14, 2019 at 12:23 PM Nick Couchman <vnick@apache.org> wrote:

> On Mon, Jan 14, 2019 at 2:44 PM sciUser <shulbert@securitycentric.net>
> wrote:
>
>> Sure,
>>
>> We will not be moving to 1.0.0 until its had a full 120 day dev QA, so far
>> there are a lot of bugs that need to be worked out.
>>
>
sciUser, if you have found a bug, and you're sure you've found a bug,
please open an issue in our JIRA. We can't fix what we don't know about.


>
>> 1. https://securitytraning.com/ldap-injection-attacks-web-for-pentester/
>> 2.
>>
>> https://www.hackthis.co.uk/forum/hacking-security/tutorials-articles/604-ldap-injection-tutorial
>> 3. https://tools.kali.org/information-gathering/enum4linux
>>
>>
> As with many vulnerabilities, it seems like these rely on people not
> writing code correctly and failing to escape items which might be
> configured or input by the end-user.  Proper escaping of that code should
> mitigate these attacks, no?
>

Yep.


>
>> I can cite a lot more, but we are running advanced security labs with
>> tools
>> that can rip a network apart if not correctly isolated.  So this is why we
>> don't use LDAP which can be exploited.
>>
>
> This is, once again, a broad statement, that may or may not be true,
> depending on the quality of the code that is authenticating against LDAP.
> Obviously I would not recommend making an LDAP server available on the
> Internet directly, nor would I recommend making web pages available with
> basic code that doesn't correctly handle that escaping.  But I would feel
> fairly confident in saying that not every piece of code that authenticates
> against LDAP is vulnerable to LDAP Injection attacks.  It would be like
> saying, "Don't write code that uses a database, because it's vulnerable to
> SQL Injection attacks."
>

++1

It's certainly true that vulnerable apps exist, but it's not correct to
blanketly state that LDAP, SQL, etc. are inherently unsafe. Guacamole does
correctly escape untrusted input within LDAP queries, and administrators
should of course isolate systems from their users when those systems
shouldn't be accessed by those users.

These sort of vulnerabilities are things we carefully review for when
changes are made to the LDAP auth.

- Mike

Mime
View raw message