LDAP Injection [Catalyst]
Knut-Olav Hoven
hovenko at linpro.no
Thu Jan 24 15:42:16 GMT 2008
use Net::LDAP::Util;
my $escaped_search = Net::LDAP::Util::escape_filter_value($search);
On Thursday 24 January 2008 16:30:10 Carl Johnstone wrote:
> Oh another LDAP subject that I meant to mention - LDAP Injection. It's
> something that's been mentioned regarding our use of LDAP.
>
> For example C:P:Auth:Store:LDAP suggests using a filter like:
>
> (&(objectClass=posixAccount)(uid=%s))
>
> Then does:
>
> $filter =~ s/\%s/$replace/g;
>
>
> Which on a casual glance would seem to be a possibility for a
> LDAP-injection attack.
>
> The problems due to SQL Injection are well known and nobody would write
> similar code to interact with a DB. However there seems to be little in
> CPAN that acknowledges the risks of LDAP Injection.
>
> I suspect that Net::LDAP doesn't help here, there is a reference to making
> use of Net::LDAP::Filter to specify queries that will be properly escaped -
> however there isn't an example in the POD (hell I glanced at the source and
> couldn't be entirely sure).
>
> So again is this an area that anybody has considered and has some
> experience to share?
>
> Thanks again,
>
> Carl
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
--
Knut-Olav Hoven
Systemutvikler mob: +47 986 71 700
Linpro AS http://www.linpro.no/
More information about the Catalyst
mailing list