Executing an LDAP statement that contains a user-controlled value outside the filter string can allow an attacker to alter the statement's meaning or execute arbitrary LDAP commands.
LDAP manipulation errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used outside the filter string in a dynamic LDAP statement.
Example 1: The following code reads an ou
string from a hidden field submitted through an HTTP request and uses it to create a new DirectoryEntry
.
...
de = new DirectoryEntry("LDAP://ad.example.com:389/ou="
+ hiddenOU.Text + ",dc=example,dc=com");
...
ou
value. The problem is that the developer failed to leverage the appropriate access control mechanisms necessary to restrict subsequent queries to access only employee records the current user is permitted to read.
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 90
[4] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[7] Standards Mapping - FIPS200 - (FISMA) SI