how can LDAP injection blocked?
Yancey Yeargan
yancey at unt.edu
Tue Apr 28 17:32:49 CEST 2009
I believe he is asking how to defend against potential web-based LDAP
filter injection attacks (similar to SQL injection attacks), or
generally how to validate user input. I think there are better forums
elsewhere (OpenLDAP perhaps) for asking this question.
There is a potential for abuse with some filters, but I do not see any
way to abuse the "(&(objectClass=inetOrgPerson)(uid=$input))" filter.
As mete wrote, it's easy to enter something that makes the filter
invalid. I just can't think of anything extra a person could type that
would be a valid filter and return unwanted data.
Unlike SQL, the returned attributes are not specified in the LDAP
filter string, so there is limited potential for abuse.
Yancey
On Apr 28, 2009, at 10:08 AM, mete wrote:
>
>>
>> i guess what he means is something like this: imagine the following
>> filter:
>>
>> (&(objectClass=inetOrgPerson)(uid=$input))
>>
>> where $input comes from a web form, or similar. if $input==')' you
>> get
>>
>> (&(objectClass=inetOrgPerson)(uid=)))
>>
>> which is invalid.
>>
>> so some form of input validation must be used.
>>
>> please correct me if i'm wrong
>>
>> best regards
>> burak
> It's have a login window. You can write your dn and password, after
> login you
> can search, list etc. But it's not to be too security. How can i
> stop them?
>
> Sorry for my english. It's not good at all. good day.
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code
> vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Python-LDAP-dev mailing list
> Python-LDAP-dev at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3911 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20090428/cd433aaf/attachment.bin>
More information about the python-ldap
mailing list