[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "LDAP Injection" attacks

To: Howard Chu <hyc@symas.com>, OpenLDAP Technical <openldap-technical@openldap.org>
Subject: Re: "LDAP Injection" attacks
From: Michael Ströder <michael@stroeder.com>
Date: Sat, 12 Oct 2013 14:06:44 +0200
In-reply-to: <52592BDD.3080407@symas.com>
References: <5258448D.1010001@symas.com> <525869B0.8000603@stroeder.com> <52592BDD.3080407@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 SeaMonkey/2.21

Howard Chu wrote:
> I suppose in a poorly designed app this is possible.

I think what's the paper is about: There are indeed many poorly designed apps
out there.

> "Reading access control
> data from wrong LDAP entries" is also wrong design. There is no reason for an
> app to ever read access control data. At most, it only needs to do an LDAP
> Compare operation and let the server verify such data. And again, Compare
> requests aren't vulnerable.

In federation deployments the component controlling access to a local resource
most times does not even have access to your user (LDAP) backend database.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- "LDAP Injection" attacks
  - From: Howard Chu <hyc@symas.com>
- Re: "LDAP Injection" attacks
  - From: Michael Ströder <michael@stroeder.com>
- Re: "LDAP Injection" attacks
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: "LDAP Injection" attacks
Next by Date: Re: memberof overlay results in unexpected slapd death?
Index(es):
- Chronological
- Thread