<quote who="Carl Johnstone"> > Oh another LDAP subject that I meant to mention - LDAP Injection. It's > something that's been mentioned regarding our use of LDAP. > > For example C:P:Auth:Store:LDAP suggests using a filter like: > > (&(objectClass=posixAccount)(uid=%s)) > > Then does: > > $filter =~ s/\%s/$replace/g; > > > Which on a casual glance would seem to be a possibility for a > LDAP-injection > attack.
It doesn't matter, it will get rejected as a bad filter: [EMAIL PROTECTED] ~]$ ldapsearch -x "(&(objectClass=posixAccount)(uid==&234%20%/ad%%%%)$1\\))" # extended LDIF # # LDAPv3 # base <dc=suretecsystems, dc=com> (default) with scope subtree # filter: (&(objectClass=posixAccount)(uid==&234%%%%%)\)) # requesting: ALL # ldapsearch: ldap_search_ext: Bad search filter (-7) > > The problems due to SQL Injection are well known and nobody would write > similar code to interact with a DB. However there seems to be little in > CPAN > that acknowledges the risks of LDAP Injection. > > I suspect that Net::LDAP doesn't help here, there is a reference to making > use of Net::LDAP::Filter to specify queries that will be properly escaped > - > however there isn't an example in the POD (hell I glanced at the source > and > couldn't be entirely sure). > > So again is this an area that anybody has considered and has some > experience > to share? > > Thanks again, > > Carl > > > _______________________________________________ > List: [email protected] > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: > http://www.mail-archive.com/[email protected]/ > Dev site: http://dev.catalyst.perl.org/ > _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
