On Mon, Jan 14, 2019 at 2:44 PM sciUser <[email protected]> wrote:
> Sure, > > We will not be moving to 1.0.0 until its had a full 120 day dev QA, so far > there are a lot of bugs that need to be worked out. > > 1. https://securitytraning.com/ldap-injection-attacks-web-for-pentester/ > 2. > > https://www.hackthis.co.uk/forum/hacking-security/tutorials-articles/604-ldap-injection-tutorial > 3. https://tools.kali.org/information-gathering/enum4linux > > As with many vulnerabilities, it seems like these rely on people not writing code correctly and failing to escape items which might be configured or input by the end-user. Proper escaping of that code should mitigate these attacks, no? > I can cite a lot more, but we are running advanced security labs with tools > that can rip a network apart if not correctly isolated. So this is why we > don't use LDAP which can be exploited. > This is, once again, a broad statement, that may or may not be true, depending on the quality of the code that is authenticating against LDAP. Obviously I would not recommend making an LDAP server available on the Internet directly, nor would I recommend making web pages available with basic code that doesn't correctly handle that escaping. But I would feel fairly confident in saying that not every piece of code that authenticates against LDAP is vulnerable to LDAP Injection attacks. It would be like saying, "Don't write code that uses a database, because it's vulnerable to SQL Injection attacks." -Nick
