Thread: how can LDAP injection blocked?

Brought to you by: leonard, pviktori, stroeder

This project can now be found here.

python-ldap-dev

how can LDAP injection blocked?

From: mete b. <met...@gm...> - 2009-04-28 10:49:12

Hi all,
I'm developing a web-based ldap gui with python ( with python-ldap ). And i
miss something about security. How can i blocked ldap injection? thanks all.
Good days.

ps: http://freshmeat.net/projects/pyldapadmin - pyldapadmin

Re: how can LDAP injection blocked?

From: Michael S. <mi...@st...> - 2009-04-28 11:30:42

mete bilgin wrote:
> I'm developing a web-based ldap gui with python ( with python-ldap ).
> And i miss something about security. How can i blocked ldap injection?

Could you please elaborate on what you mean with "ldap injection"?

Most security issues with attacking the connection can be cured with
SSL/TLS. So your client should support LDAPS and StartTLS ext.op. and
defining the trusted root CA certs.

Ciao, Michael.

Re: how can LDAP injection blocked?

From: Yancey Y. <ya...@un...> - 2009-04-28 15:32:52

Attachments: smime.p7s

I believe he is asking how to defend against potential web-based LDAP  
filter injection attacks (similar to SQL injection attacks), or  
generally how to validate user input. I think there are better forums  
elsewhere (OpenLDAP perhaps) for asking this question.

There is a potential for abuse with some filters, but I do not see any  
way to abuse the "(&(objectClass=inetOrgPerson)(uid=$input))" filter.  
As mete wrote, it's easy to enter something that makes the filter  
invalid. I just can't think of anything extra a person could type that  
would be a valid filter and return unwanted data.

Unlike SQL, the returned attributes are not specified in the LDAP  
filter string, so there is limited potential for abuse.

Yancey

On Apr 28, 2009, at 10:08 AM, mete wrote:

>
>>
>> i guess what he means is something like this: imagine the following  
>> filter:
>>
>> (&(objectClass=inetOrgPerson)(uid=$input))
>>
>> where $input comes from a web form, or similar. if $input==')' you  
>> get
>>
>> (&(objectClass=inetOrgPerson)(uid=)))
>>
>> which is invalid.
>>
>> so some form of input validation must be used.
>>
>> please correct me if i'm wrong
>>
>> best regards
>> burak
> It's have a login window. You can write your dn and password, after  
> login you
> can search, list etc. But it's not to be too security. How can i  
> stop them?
>
> Sorry for my english. It's not good at all. good day.
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code  
> vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: how can LDAP injection blocked?

From: Michael S. <mi...@st...> - 2009-04-28 21:23:55

Yancey Yeargan wrote:
> 
> I believe he is asking how to defend against potential web-based LDAP
> filter injection attacks (similar to SQL injection attacks),

Ah ok. To prevent someone to pass in special filter chars these have to
be escaped before the user's input is used as (partial) value in the
LDAP filter string representation.

One should use the functions in module ldap.filter for that:

http://www.python-ldap.org/doc/html/ldap-filter.html

> or generally how to validate user input.

This depends on the application's context and could be handled in the
web app library.

Ciao, Michael.

Re: how can LDAP injection blocked?

From: Burak A. <bu...@ar...> - 2009-04-28 13:11:01

Michael Ströder yazmış:
> mete bilgin wrote:
>   
>> I'm developing a web-based ldap gui with python ( with python-ldap ).
>> And i miss something about security. How can i blocked ldap injection?
>>     
>
> Could you please elaborate on what you mean with "ldap injection"?
>
>   


i guess what he means is something like this: imagine the following filter:

(&(objectClass=inetOrgPerson)(uid=$input))

where $input comes from a web form, or similar. if $input==')' you get

(&(objectClass=inetOrgPerson)(uid=)))

which is invalid.

so some form of input validation must be used.

please correct me if i'm wrong

best regards
burak

Re: how can LDAP injection blocked?

From: mete <met...@gm...> - 2009-04-28 15:08:49

>
> i guess what he means is something like this: imagine the following filter:
>
> (&(objectClass=inetOrgPerson)(uid=$input))
>
> where $input comes from a web form, or similar. if $input==')' you get
>
> (&(objectClass=inetOrgPerson)(uid=)))
>
> which is invalid.
>
> so some form of input validation must be used.
>
> please correct me if i'm wrong
>
> best regards
> burak
It's have a login window. You can write your dn and password, after login you 
can search, list etc. But it's not to be too security. How can i stop them? 

Sorry for my english. It's not good at all. good day.