Hi Jacob,

You are absolutely correct that any user-submitted data used for logic 
should always be sanitized; if not for security, than at least for 
expected behavior.

However, I do not think that LDAP filter injection presents a security 
risk here at UVM since we do not expose password attributes, nor do we 
store keys in LDAP.

Also, if the query is bound to a particular user's account, it may only 
be so if that user has supplied their credential.  Any information 
available is already granted to that user, and an injection would not 
gain additional information.

These security constraints exist in LDAP.  We try to design UVM systems 
to make sure that poor programming against LDAP or SQL..(etc) doesn't 
jeopardize the information outside that programmer's domain.

I'd like very much to be shown where we are wrong about this.  Feel free 
to show us a functioning vulnerability.  I'll be very pleased to be 
shown to be wrong, and SAA will be pleased to improve the security of 
our systems.

My purpose here is not to discredit the seriousness of injection 
attacks.  Rather, I'd like to publicly state my own feeling about the 
risk this presents to UVM's LDAP security -- that the risk is rather 
small -- in order to combat the risk that FUD could creep into this 
great IT community at UVM.


Benjamin Coddington
Systems Architecture and Administration
Enterprise Technology Services
University of Vermont

On 9/10/10 4:38 PM, Jacob Richard Beauregard wrote:
> I am querying LDAP via PHP and was searching for resources regarding how I
> should manage the data I get out of it. When I came across this post, I felt
> compelled to reply because the code that had been written in this thread is
> susceptible to an injection attack. I doubt that would be a likely thing to
> happen (albeit malicious consequence), but if the query is bound to a user's
> account, it could compromise some very sensitive data for that user, and if
> it's bound to someone who has even more access?
> I wrote the following earlier which escapes a term for a filter (however,
> not for distinguished names, which I hope anyone would keep in mind):
>          private static function ldap_filter_escape($str) {
>                  $map = array(
>                          "*"    =>  "\\2a",
>                          "("    =>  "\\28",
>                          ")"    =>  "\\29",
>                          "\\"   =>  "\\5c",
>                          chr(0) =>  "\\00",
>                  );
>                  return str_replace(array_keys($map),array_values($map),$str);
>          }
> On Mon, 15 Jun 2009 11:54:32 -0400, Tyler Whitney<[log in to unmask]>  wrote:
>> Thank you very much!
>> In fact I hadn't remembered you covering it, I apologize for not reading
>> thoroughly.
>> Thanks for sparking my mind about the print_r command.... I was trying
>> to see how the complex array was organized. I now get the structure.
>> This is what the code I was testing with looked like:
>> $ds = $LDAPLink;
>>             // $person is all or part of a person's name, eg "Jo"
>>             $person = "Tyler";
>>             $dn = "ou=People,dc=uvm,dc=edu";
>>             $filter="(|(sn=$person*)(givenname=$person*))";
>>             $justthese = array("ou", "sn", "givenname", "mail");
>>             $sr=ldap_search($ds, $dn, $filter, $justthese);
>>             $info = ldap_get_entries($ds, $sr);
>> --------------
>>from there I wasn't figuring out the structure of $info... but as you
>> mentioned, I just did a print_r and I now see quite the complexity.
>> Looks like I will be needing some for loops to format the information
>> according, I'm not quite sure this is user interface friendly the way it
>> is. ;-)
>> My appreciation goes out! And again I apologize for not reading the
>> previous message thoroughly before posting again.
>> Tyler
>>>   |