FAQ
<quote who="Carl Johnstone">
Oh another LDAP subject that I meant to mention - LDAP Injection. It's
something that's been mentioned regarding our use of LDAP.

For example C:P:Auth:Store:LDAP suggests using a filter like:

(&(objectClass=posixAccount)(uid=%s))

Then does:

$filter =~ s/\%s/$replace/g;


Which on a casual glance would seem to be a possibility for a
LDAP-injection
attack.
It doesn't matter, it will get rejected as a bad filter:

[ghenry@suretec ~]$ ldapsearch -x
"(&(objectClass=posixAccount)(uid==&234%20%/ad%%%%)$1\\))"
# extended LDIF
#
# LDAPv3
# base <dc=suretecsystems, dc=com> (default) with scope subtree
# filter: (&(objectClass=posixAccount)(uid==&234%%%%%)\))
# requesting: ALL
#

ldapsearch: ldap_search_ext: Bad search filter (-7)

The problems due to SQL Injection are well known and nobody would write
similar code to interact with a DB. However there seems to be little in
CPAN
that acknowledges the risks of LDAP Injection.

I suspect that Net::LDAP doesn't help here, there is a reference to making
use of Net::LDAP::Filter to specify queries that will be properly escaped
-
however there isn't an example in the POD (hell I glanced at the source
and
couldn't be entirely sure).

So again is this an area that anybody has considered and has some
experience
to share?

Thanks again,

Carl


_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 5 of 10 | next ›
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedJan 24, '08 at 3:05p
activeJan 29, '08 at 12:00a
posts10
users4
websitecatalystframework.org
irc#catalyst

People

Translate

site design / logo © 2021 Grokbase