Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to access unauthorized directory entries.
Database access control errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to specify a data value in an LDAP query.
Example 1: The following code uses a whitelist to validate an employee name read from a socket before using it to construct an LDAP query. This validation prevents LDAP injection vulnerabilities, but may still leave the code vulnerable.
...
fgets(username, sizeof(username), socket);
char* regex = "^[a-zA-Z\-\.']$";
re = pcre_compile(regex, 0, &err, &errOffset, NULL);
rc = pcre_exec(re, NULL, username, strlen(username), 0, 0, NULL, 0);
if(rc == 1) {
snprintf(filter, sizeof(filter), "(employee=%s)", username);
if ( ( rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE,
filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result ) ) == LDAP_SUCCESS ) {
...
}
}
username
. Because the code in this example executes the query under an anonymous bind, it will return the directory entry for any valid employee ID, regardless of the identity of the current authenticated user.
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References
[4] Standards Mapping - FIPS200 - (FISMA) AC
[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 639
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8