Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to access unauthorized records.
Executing LDAP queries under an anonymous bind, effectively without authentication, can allow an attacker to abuse a poorly configured LDAP environment.
Example 1: The following code uses ldap_simple_bind_s()
to bind anonymously to an LDAP directory.
...
rc = ldap_simple_bind_s( ld, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
...
}
...
ld
will be performed without authentication and access control. An attacker might be able to manipulate one of these queries in an unexpected way to gain access to records that would otherwise be protected by the directory's access control mechanism.
[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A10 Failure to Restrict URL Access
[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A8 Failure to Restrict URL Access
[4] Standards Mapping - FIPS200 - (FISMA) AC
[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3480.1 CAT II
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 285
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization
[8] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Porous Defenses - CWE ID 285
[9] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 285
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.10, Requirement 7.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2, Requirement 7.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8, Requirement 7.2