Lightweight Directory Access Protocol (LDAP) reference implementation security flaws have been addressed by the maintainers of the NGINX web server project.
It's not necessary to take any action if you don't use the reference implementation of NGINX, according to Liam Crilly and Timo Stark of F5 Networks, who published the advisory on Monday.
There are three conditions in which NGINX's reference implementation, which uses an LDAP-based authentication system, can be affected:
- Command-line parameters to configure the Python-based reference implementation daemon
- Unused, optional configuration parameters, and
- Specific group membership to carry out LDAP authentication
To force LDAP authentication to succeed even when the falsely authenticated user does not belong to the group, an attacker could send specially crafted HTTP request headers and potentially override the configuration parameters.
Users have been advised by the project maintainers to remove any special characters from their usernames before signing in and to update any relevant configuration parameters with an empty value as a preventative measure ("").
Additionally, the LDAP reference implementation mainly "describes how the integration works and all the components required to verify the integration" and that "it is not a production-grade LDAP solution."
The information was made public by the hacktivist collective BlueHornet, which revealed that it had "gotten our hands on an experimental exploit for NGINX 1.18" over the past weekend.
Post a Comment
Your suggestions and comments are welcome