[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "LDAP Injection" attacks

To: Howard Chu <hyc@symas.com>
Subject: Re: "LDAP Injection" attacks
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 29 Dec 2013 17:25:15 +0100
Cc: devzero2000 <pinto.elia@gmail.com>, OpenLDAP Technical <openldap-technical@openldap.org>
In-reply-to: <525925B8.1010309@symas.com> (Howard Chu's message of "Sat, 12 Oct 2013 03:34:32 -0700")
References: <5258448D.1010001@symas.com> <CAH5b-BX61+K=WoNcyQBtkGOsrfXGA_pTK=T_jbk7BEqK6TgcSw@mail.gmail.com> <525925B8.1010309@symas.com>

* Howard Chu:

> Look at the volume of messages on this list related to ACLs - clearly,
> most OpenLDAP admins are both conscious of and conscientious about
> using effective ACLs.

I think the concern here is access control mechanisms fed from LDAP,
not access to the LDAP database itself.

Quite a few AAA systems have configurable LDAP search filters with
placeholders and construct the final filter string using simple
concatenation.  Manipulated filter strings could trick the system into
loading (and eventually applying) the wrong set of access controls.

It might make sense for OpenLDAP to provide a version of
ldap_search_ext which separates the filter and any parameters
contained in it, or provide means to construct filters in a way that
is more robust than string concatenation.

Prev by Date: Re: write access issue
Next by Date: RE: acl problem
Index(es):
- Chronological
- Thread