LDAP Injection Vulnerabilities

Home / Hacking, News, Security / LDAP Injection Vulnerabilities

March 22, 2008 PlanetCreator 0 Comments 0 tags

LDAP Injection Overview

LDAP Injection attacks are not as common as the other types of injection attacks, but if your product uses an LDAP server this must be tested. An LDAP Injection could occur anywhere that the underlying code could use some type of input for any ldap searches, queries, or any other ldap function.
Example of what an LDAP injection attack could look like.

Take for example, a page that has a search box to search for users in an application. This search box could ask for a username. The underlying code would take this search query information and generate the LDAP query that will be used to search the ldap database.

For example
Enter the name to search for

Following the LDAP search query syntax, a developer attempts to narrow down the ldap query for performance. And the underlying code might perform something similar to the following
String ldapSearchQuery = “(cn=” + $username + “)”;
System.out.println(ldapSearchQuery);

If the variable $username is not validated to be an accurate and valid possible username, an ldap injection could be possible. Take for example the following types of situations

* What if the user puts an * for the search. This will return every username in the ldap database
* What if the user puts in an joe)(|(password=*). This will create a ldap search query like (cn=joe)(|(password=*) ) Which would return the users joe password.

There are all sorts of other possibilities as to what could be used with ldap injection vulnerabilities. If you are testing a software application that uses an ldap server on the backend, you must become familiar with the ldap searching syntax and what the possible ldap searches you can perform with it.
How do you fix the LDAP Injection vulnerability?

Input validation!!! The underlying code needs to verify the correct input using a white list. If the input is verified against a white list using a regular expression then the input could be rejected and the end user would need to input the correct data. Don’t let a malicious user mis-use your application. Verify that the input is validated and that there is not the ability to inject additional ldap information, especially the () | * characters.

Explore More

Critical Blind SQL injection in ChartNexus.com

PlanetCreator has reported another critical Blind SQL Injection (vulnerability) on http://www.starinvestorrelations.com/ which owned by FiNEX Solutions Pte. Ltd. (“FiNEX Solutions”) powered by http://www.chartnexus.com/ This vulnerability has been alerted to :-

Hacking Computers Illegal Violation Access To Machines Cyber Crime

The term â€œhackingâ€ has become one of those words today that are often frowned upon by people who occasionally have no idea what it involves. This homogenization of the signification

PlanetCreator advised Pfingo’s Webmasters to check their Security

We found some security weaknesses in Pfingo.com They still have to fix and have to delete MySQL dump files in their directory. We notified this issue to pfingo yesterday! pfingoadmin.sql

[webapps] MoziloCMS 3.0 - Remote Code Execution (RCE)
on March 27, 2025 at 12:00 am
MoziloCMS 3.0 - Remote Code Execution (RCE)
[webapps] KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)
on March 27, 2025 at 12:00 am
KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)
[webapps] X2CRM 8.5 - Stored Cross-Site Scripting (XSS)
on March 27, 2025 at 12:00 am
X2CRM 8.5 - Stored Cross-Site Scripting (XSS)
[local] NVIDIA Container Toolkit 1.16.1 - Time-of-check Time-of-Use (TOCTOU)
on March 26, 2025 at 12:00 am
NVIDIA Container Toolkit 1.16.1 - Time-of-check Time-of-Use (TOCTOU)
[remote] Microsoft Windows - NTLM Hash Leak Malicious Windows Theme
on March 22, 2025 at 12:00 am
Microsoft Windows - NTLM Hash Leak Malicious Windows Theme