"LDAP Injection" attacks

[Howard Chu <hyc@symas.com>]

A paper and presentation making the rounds, claiming to show how webapps using 
LDAP are vulnerable to search filter spoofing attacks.

http://www.youtube.com/watch?v=wtahzm_R8e4
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

Can't imagine that work like this gets peer-reviewed, because it's mostly 
garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly 
showing how filter manipulation can allow a webapp user to bypass LDAP-based 
authentication. It's ridiculous drivel though, since LDAP-based authentication 
uses Bind requests and not search filters. Most LDAP deployments don't even 
give search/compare access to userPassword attributes in the first place.

Just in case anybody out there might be bitten by this info - client-enforced 
security is no security at all. This is why slapd has such an extensive ACL 
engine - you enforce access controls on the server, and then it doesn't matter 
what kind of garbage requests your clients send to you, they can only ever 
access information that they were allowed to access. This is also why the old 
pam_ldap authorization scheme was such a bad idea, it relied on the LDAP 
client (pam_ldap) to correctly implement authorization, instead of the server. 
(Multiply that by hundreds or thousands of clients and you have an 
unmanageable, insecurable mess.) This is why we have nssov today.

Of course, this is no excuse to be sloppy when writing your web apps. But if 
you've configured ACLs to adequately protect your data, then it doesn't matter 
how sloppy your clients are.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/