[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6461) back-sql quote characters in query

Can confirm this with openldap 2.4.24.

Using ldap search filters like this:

(cn=blabla' or '1'='1)

is at least causing my postgres to eat all CPU cycles it can get (LDAP
data is based on complex view). I do not have write access enabled for
that particular openLDAP installation, but I also assume that SQL
Injection is possible. Beside being an obviuos malfunction, this should
be considered a security issue.