ABSTRACT

Executing an LDAP statement that contains a user-controlled value outside the filter string can allow an attacker to alter the statement's meaning or execute arbitrary LDAP commands.

EXPLANATION

LDAP manipulation errors occur when:

1. Data enters a program from an untrusted source.

2. The data is used outside the filter string in a dynamic LDAP statement.

Example 1: The following code reads a username and password from an HTTP request and uses it to perform an LDAP lookup.


env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);

String empID = request.getParameter("empID");

try
{
BasicAttribute attr = new BasicAttribute("empID", empID);

NamingEnumeration employee =
ctx.search("ou=People,dc=example,dc=com",attr);
...


Because the query includes user input and is performed under an anonymous bind, the query will return the details for any username specified, regardless of whether it matches the specified password. An attacker can effectively use the code below to lookup the details of any employee in the system, representing a serious privacy violation. The problem is that the developer failed to leverage the appropriate access control mechanisms necessary to restrict the query to access only employee records the current user is permitted to read.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference

[4] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References

[5] Standards Mapping - FIPS200 - (FISMA) AC

[6] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I

[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 639

[8] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 90

[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116

[10] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8

[16] Standards Mapping - FIPS200 - (FISMA) SI