LDAP Injection [Catalyst]
Gavin Henry
ghenry at perl.me.uk
Thu Jan 24 20:55:22 GMT 2008
<quote who="Carl Johnstone">
> Oh another LDAP subject that I meant to mention - LDAP Injection. It's
> something that's been mentioned regarding our use of LDAP.
>
> For example C:P:Auth:Store:LDAP suggests using a filter like:
>
> (&(objectClass=posixAccount)(uid=%s))
>
> Then does:
>
> $filter =~ s/\%s/$replace/g;
>
>
> Which on a casual glance would seem to be a possibility for a
> LDAP-injection
> attack.
It doesn't matter, it will get rejected as a bad filter:
[ghenry at suretec ~]$ ldapsearch -x
"(&(objectClass=posixAccount)(uid==&234%20%/ad%%%%)$1\\))"
# extended LDIF
#
# LDAPv3
# base <dc=suretecsystems, dc=com> (default) with scope subtree
# filter: (&(objectClass=posixAccount)(uid==&234%%%%%)\))
# requesting: ALL
#
ldapsearch: ldap_search_ext: Bad search filter (-7)
>
> The problems due to SQL Injection are well known and nobody would write
> similar code to interact with a DB. However there seems to be little in
> CPAN
> that acknowledges the risks of LDAP Injection.
>
> I suspect that Net::LDAP doesn't help here, there is a reference to making
> use of Net::LDAP::Filter to specify queries that will be properly escaped
> -
> however there isn't an example in the POD (hell I glanced at the source
> and
> couldn't be entirely sure).
>
> So again is this an area that anybody has considered and has some
> experience
> to share?
>
> Thanks again,
>
> Carl
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
More information about the Catalyst
mailing list