[Date Prev][Date Next]
(ITS#6163) back-sql DoS when searching for empty attr
Full_Name: Luben Karavelov
Submission from: (NULL) (18.104.22.168)
We use ldap for some user accounts authentication here and we have found that
queries of this kind :
ldapsearch -b "dc=users,dc=example,dc=com"
kill slapd. It exits on assert( 0 ) at line 1366 of back-sql/search.c
It is even nastier because it could be remotely triggered with
ssh -l "" server-with-ldap-accounts-in-nss.example.com
or through ftp using the same technique.