[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "LDAP Injection" attacks



Howard Chu wrote:
> Look at the volume of messages on this list related to ACLs - clearly, most
> OpenLDAP admins are both conscious of and conscientious about using effective
> ACLs.

But unfortunately the majority of web app deployments with some sort of LDAP
server as backend use a *single* quite powerful system user. Deployments where
the end user's authz-DN is used for access control are rather rare. It's
always a very hard budget fight to change that.

To be very clear:
I'm personally in favour of letting the LDAP server enforce access control as
much as possible.

BTW: When designing ACLs are people here using sort of regression testing?

Also possibly manipulated search results might be used as input to other
components leading to false security decisions. Really skilled attackers
combine their attacks over non-obvious corner cases similar to skilled pool
players playing via cushion. (Native English speakers are welcome to correct
my sentence if I didn't get that right).

So papers like this are needed to remind innocent developers to properly
escape user's input when constructing search filters. But the authors should
not exaggerate their findings like they actually do.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature