uaa icon indicating copy to clipboard operation
uaa copied to clipboard
verified publisher icon cloudfoundry

UAA : LDAP with accented characters

Open angusm43ge opened this issue 2 years ago • 2 comments

SECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to [email protected]

Thanks for taking the time to file an issue. You'll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.

What version of UAA are you running?

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

Using a downstream fork of UAA which is at version 75.14.0. /info endpoint is suppressed for security reasons.

How are you deploying the UAA?

I am deploying the UAA

  • other (please explain) packaged for kubernetes from fork, with some modifications, as part of web application.

What did you do?

Using ldap_simple_bind.xml, to integrate with LDAP idp (either OpenLDAP or AD)

When logging in for user whose password contains accented characters, for example : Lèõñ, there is an authentication failure

What did you expect to see? What goal are you trying to achieve with the UAA?

Login OK

What did you see instead?

[2022-10-05 10:23:41.805] uaa - 1 [qtp942518407-11] .... DEBUG --- BindAuthenticator: Failed to bind as CN= org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839^@]

Ldap error code 49 is invalidCredentials : source : RFC 2251.

The error code attached as data, 52e is an Active Directory error, source MS error codes ERROR_LOGON_FAILURE 1326 (0x52E)The user name or password is incorrect.

Inspection of the LDAP traffic into the IDP using Wireshark shows that at the point of attempting to bind as the logging-in user, the password has been transformed.

as an example, if the password is input as "Lèõñ" :

Raw data shows the string Lèõñ, at point of bind request with LDAP IDP is encoded as hex 4c ef bf bd ef bf bd ef bf bd. "4c" is L, then 3 x "ef bf bd " which is the UTF8 encoding of the Unicode BOM

I think that the actual password string seen in Wireshark in the bind request is the same as the WIN-1252 representation of the string, converted to ISO 8859-1 as if it had originally been encoded as UTF8. Or something like that.

The UAA login dialog specifies UTF-8 in the HTML header metadata :

xxxxx ......

However, this looks to be like an assertion, there is no enforcement of the encoding of the incoming text to the login dialog : I think this is a gray area with HTML.

UAA has its own filters which convert inputs to/from UTF8, so I don't think that Java or OS settings for locale etc are relevant.

angusm43ge avatar Mar 02 '23 17:03 angusm43ge

@bruce-ricard FYI

strehle avatar Nov 16 '23 17:11 strehle

@angusm43ge, 75.x is not a supported version by us. Can you see if you can reproduce the issue with latest UAA?

hsinn0 avatar Jan 22 '24 23:01 hsinn0

Closing the issue as it was reported for an unsupported version and request for additional info was not provided.

hsinn0 avatar Apr 01 '24 22:04 hsinn0