LDAP Injection [CWE-90] — The Hacktivists

1. Description
………………………………

This weakness describes a case where software does not properly validate external input before using it to construct LDAP queries. As a result, an attacker might be able to inject and execute arbitrary LDAP commands within the directory server.

<form method="post" action="">
<p>Login: <input type="text" name="user" value=""></p>
<p>Password: <input type="password" name="pass" value=""></p>
<p>Search for: <input type="text" name="login"></p>
<input type=submit name="submit" value="Enter">
</form>
<?
...
$username = htmlspecialchars(trim($_POST["user"]));
$upasswd = htmlspecialchars(trim($_POST["pass"]));
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind):
$filter="(&(objectClass=user)(sAMAccountName=".htmlspecialchars($_REQUEST["login"])."))";
if (!($search=@ldap_search($ds, $ldapconfig['basedn'], $filter))) {
echo("Unable to search ldap server<br>");
echo("msg:'".ldap_error($ds)."'</br>");#check the message again
}
else {
$number_returned = ldap_count_entries($ds,$search);
$info = ldap_get_entries($ds, $search);
echo "<p>The number of entries returned is ". $number_returned."<p><pre>";
for ($i=0; $i<$info["count"]; $i++) {
print_r($info[$i]);
}
echo "</pre>";
}
endif;
?>
(&(objectClass=user)(sAMAccountName=test_account))
(&(objectClass=user)(sAMAccountName=*)(memberof=CN=Domain Admins,CN=Users,DC=testcompany,DC=local))

2. Potential impact
………………………………

Depending on the vulnerable application and its functionality, an attacker might be able to gain access to potentially sensitive information, modify or delete data and elevate privileges within the application. In a worst-case scenario, this weakness could lead to full system compromise.

3. Attack patterns
………………………………

Common Attack Pattern Enumeration and Classification (CAPEC) contains exploitation patterns for this weakness:

4. Affected software
………………………………

Software that uses a directory server to store and access information is potentially vulnerable to this weakness. Many corporate applications use SSO functionality based on LDAP and therefore should pay extra attention to the security of such software.

5. Severity and CVSS Scoring
………………………………

LDAP injections, just like any other code injection weaknesses, can influence the confidentiality, integrity, and availability of the application. Depending on application functionality and usage of LDAP queries, an attacker might be able to read, modify, delete information stored in a directory server or even elevate privileges.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
The Hacktivists

The Hacktivists

Contact us for Information Security Services & Training https://thehacktivists.in/