ABSTRACT

Executing an LDAP statement that contains a user-controlled value outside the filter string can allow an attacker to alter the statement's meaning or execute arbitrary LDAP commands.

EXPLANATION

LDAP manipulation errors occur when:

1. Data enters a program from an untrusted source.

2. The data is used outside the filter string in a dynamic LDAP statement.

Example 1: The following code reads a dn string from a socket and uses it to perform an LDAP query.


...
rc = ldap_simple_bind_s( ld, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
...
}
...

fgets(dn, sizeof(dn), socket);

if ( ( rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_BASE,
filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result ) ) != LDAP_SUCCESS ) {
...


Because base DN originates from user input and the query is performed under an anonymous bind, an attacker could alter the results of the query by specifying an unexpected dn string. The problem is that the developer failed to leverage the appropriate access control mechanisms necessary to restrict subsequent queries to access only employee records the current user is permitted to read.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 90

[4] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[7] Standards Mapping - FIPS200 - (FISMA) SI