On Sep 15, 2010, at 10:27 AM, Jacob Beauregard wrote:
> Also, for my entry, there's a hash in a field called userPassword.
There is an LDAP userPassword for everyone, but given our setup, in the general case it's not very exciting despite the name. Using your account as an example, the userPassword field contains the Base64-encoded text "[log in to unmask]", which for OpenLDAP essentially says "let's look in our outside source [Kerberos, in this case] for the password".
>> My purpose here is not to discredit the seriousness of injection attacks. Rather, I'd like to publicly state my own feeling about the risk this presents to UVM's LDAP security -- that the risk is rather small -- in order to combat the risk that FUD could creep into this great IT community at UVM.
> Yes, very small for injection, but there are also other kinds of risk just by the nature of the data accessible to the user.
Cross-site scripting issues, in particular.