On 23/08/2016 7:56 a.m., Diogenes S. Jesus wrote: > Hi there. First thanks for taking the time to thoroughly reply to it. > >>> external_acl_type ldap_HTTP %LOGIN %URI >>> /usr/lib/squid/ext_ldap_group_acl -D "cn=admin,dc=example,dc=com" -w >>> test -R -b "ou=authorization,dc=example,dc=com" -B >>> "ou=people,dc=example,dc=com" -f >>> '(&(objectclass=groupOfNames)(cn=%g)(member=uid=%u,ou= > people,dc=example,dc=com))' >>> -h ldap01.example.com -d >> >> >> Please be aware that the %URI format does not perform any type of shell >> or LDAP escaping to protect this helper lookup against shell-injection >> attacks. >> >> It is possible that a remote client can end a URL with ')' followed by >> any LDAP commands they like and have that executed by your helper. > > I was also concerned about shell injection and LDAP injection but: > - group value is not really passed as shell argument but read from stdin > AFAIU > - I could not see ")" reflected in the LDAP filter. When performing the > following request, for example: > > $ curl --proxy-negotiate --negotiate -u : http://web.example";)".com/ > > I see the following lines in the debug log: > > ext_ldap_group_acl.cc(579): pid=31325 :Connected OK > > ext_ldap_group_acl.cc(718): pid=31325 :group filter > '(&(objectclass=groupOfNames)(cn=web.example\29.com)(member=uid= john_doe > ,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example, > dc=com' > > That's because "group" is ldap-escaped when building the LDAP search filter > (https://github.com/squid-cache/squid/tree/master/helpers/external_acl/LDAP_ > group#L654) AFAIU. > > I have since the message was sent to the mailing list stopped using "%URI > and changed to "%DST" - only because %URI will also add scheme and for SSL, > port number. > > Regardless, your point may still be valid for those passing argument to the > binary. Minor pentests I did didn't show much of a security risk here. Thanks for testing it. I overlooked the ldap_escape being used until after pressing send. :-/ > >> If you want to do things like this safely please upgrade to Squid-4 >> where the logformat codes are available. Those codes provide >> customizable escaping and quoting styles so you can set one that >> protects LDAP against these attacks to be ued on the URI field value >> sent by Squid. > > You mean these <http://www.squid-cache.org/Doc/config/logformat/> > logformats are available to be used in acl / external acls @ squid.conf? Or? > Yes. I'm trying to get all the things in squid.conf that take/use a custom format to use the logformat code system. Squid-4 is the external_acl_type directives turn. All of them are available for use in the %FORMAT field. It only depends on whether the data any given code outputs exists at the point of transaction where your ACL gets used. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
