Menu
We are building an application which utilizes LDAP via php and I got to thinking is there anything you can do with injecting into LDAP and better yet how does one protect against LDAP injections ?
949
When constructing LDAP filters you must ensure that filter values are handled according to RFC2254:
Any control characters with an ACII code < 32 as well as the characters with special meaning in LDAP filters "*", "(", ")", and "\" (the backslash) are converted into the representation of a backslash followed by two hex digits representing the hexadecimal value of the character.
Zend_Ldap for example uses the following routine
//[...]
$val = str_replace(array('\\', '*', '(', ')'), array('\5c', '\2a', '\28', '\29'), $val);
for ($i = 0; $i<strlen($val); $i++) {
$char = substr($val, $i, 1);
if (ord($char)<32) {
$hex = dechex(ord($char));
if (strlen($hex) == 1) $hex = '0' . $hex;
$val = str_replace($char, '\\' . $hex, $val);
}
}
//[...]
One item to consider is that an LDAP bind with a Username (DN) but no password is considered an anonymous bind. Therefore should you test to see if the passed credentials can bind via LDAP to validate the user, if they pass a blank password, and you passed it through as is, you could let someone in incorrectly.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
