On 6/27/19 6:23 PM, Michael Ströder wrote:
On 6/27/19 6:18 PM, Howard Chu wrote:
> Michael Ströder wrote:
>> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>>> Thanks to Ondrej, this list is a bit shorter now. :)
>>
>> But one more I'd love to see in 2.4.48:
>>
>> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
>>
>>
https://www.openldap.org/its/index.cgi?findid=8866
>
> I don't believe the information disclosure issues have been
> sufficiently answered there. Overall it's a bad idea and goes against
> our standing policy of minimal disclosure.
Sorry, you already have the disclosure.
Citing from my old e-mail found here:
https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
> But this problem exists anyway because an attacker can probe
> values by adding entries with non-unique attributes and determine
> whether an attribute value exists or not by distinguishing the result
> code constraintViolation(19) vs. insufficientAccessRights(50).
> Even worse this even works in case the attacker does not have read
> access anywhere!
Furthermore the security of a system should not rely on confidentiality
of the configuration. E.g. with Æ-DIR the config is publicly known.
Also note I'm usually blamed for making directory contents too confidential.
Ciao, Michael.