[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: "LDAP Injection" attacks
* Howard Chu:
> Look at the volume of messages on this list related to ACLs - clearly,
> most OpenLDAP admins are both conscious of and conscientious about
> using effective ACLs.
I think the concern here is access control mechanisms fed from LDAP,
not access to the LDAP database itself.
Quite a few AAA systems have configurable LDAP search filters with
placeholders and construct the final filter string using simple
concatenation. Manipulated filter strings could trick the system into
loading (and eventually applying) the wrong set of access controls.
It might make sense for OpenLDAP to provide a version of
ldap_search_ext which separates the filter and any parameters
contained in it, or provide means to construct filters in a way that
is more robust than string concatenation.