9 Mar
2011
9 Mar
'11
9:38 a.m.
atze_80@web.de wrote:
Can confirm this with openldap 2.4.24.
Thanks, the bug was already confirmed.
Using ldap search filters like this:
(cn=blabla' or '1'='1)
is at least causing my postgres to eat all CPU cycles it can get (LDAP data is based on complex view). I do not have write access enabled for that particular openLDAP installation, but I also assume that SQL Injection is possible. Beside being an obviuos malfunction, this should be considered a security issue.
As the bug status says, "patches welcome." back-sql is not a priority for any of the core developers.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5007
Age (days ago)
5007
Last active (days ago)
0 comments
1 participants
participants (1)
-
hyc@symas.com