[squid-users] dynamic group using URI as group name on external acl with ext_ldap_group_acl
Amos Jeffries
squid3 at treenet.co.nz
Tue Aug 23 14:22:21 UTC 2016
On 23/08/2016 7:56 a.m., Diogenes S. Jesus wrote:
> Hi there. First thanks for taking the time to thoroughly reply to it.
>
>>> external_acl_type ldap_HTTP %LOGIN %URI
>>> /usr/lib/squid/ext_ldap_group_acl -D "cn=admin,dc=example,dc=com" -w
>>> test -R -b "ou=authorization,dc=example,dc=com" -B
>>> "ou=people,dc=example,dc=com" -f
>>> '(&(objectclass=groupOfNames)(cn=%g)(member=uid=%u,ou=
> people,dc=example,dc=com))'
>>> -h ldap01.example.com -d
>>
>>
>> Please be aware that the %URI format does not perform any type of shell
>> or LDAP escaping to protect this helper lookup against shell-injection
>> attacks.
>>
>> It is possible that a remote client can end a URL with ')' followed by
>> any LDAP commands they like and have that executed by your helper.
>
> I was also concerned about shell injection and LDAP injection but:
> - group value is not really passed as shell argument but read from stdin
> AFAIU
> - I could not see ")" reflected in the LDAP filter. When performing the
> following request, for example:
>
> $ curl --proxy-negotiate --negotiate -u : http://web.example")".com/
>
> I see the following lines in the debug log:
>
> ext_ldap_group_acl.cc(579): pid=31325 :Connected OK
>
> ext_ldap_group_acl.cc(718): pid=31325 :group filter
> '(&(objectclass=groupOfNames)(cn=web.example\29.com)(member=uid= john_doe
> ,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,
> dc=com'
>
> That's because "group" is ldap-escaped when building the LDAP search filter
> (https://github.com/squid-cache/squid/tree/master/helpers/external_acl/LDAP_
> group#L654) AFAIU.
>
> I have since the message was sent to the mailing list stopped using "%URI
> and changed to "%DST" - only because %URI will also add scheme and for SSL,
> port number.
>
> Regardless, your point may still be valid for those passing argument to the
> binary. Minor pentests I did didn't show much of a security risk here.
Thanks for testing it. I overlooked the ldap_escape being used until
after pressing send. :-/
>
>> If you want to do things like this safely please upgrade to Squid-4
>> where the logformat codes are available. Those codes provide
>> customizable escaping and quoting styles so you can set one that
>> protects LDAP against these attacks to be ued on the URI field value
>> sent by Squid.
>
> You mean these <http://www.squid-cache.org/Doc/config/logformat/>
> logformats are available to be used in acl / external acls @ squid.conf? Or?
>
Yes. I'm trying to get all the things in squid.conf that take/use a
custom format to use the logformat code system. Squid-4 is the
external_acl_type directives turn.
All of them are available for use in the %FORMAT field. It only depends
on whether the data any given code outputs exists at the point of
transaction where your ACL gets used.
Amos
More information about the squid-users
mailing list