how to protect against LDAP Injection

Question

We are building an application which utilizes LDAP via php and I got to thinking is there anything you can do with injecting into LDAP and better yet how does one protect against LDAP injections ?

Answer 1

In most cases it is using a read-only account for LDAP. Since LDAP is poor at writes updates only occur in very small sections of the application where another account can be used.

Even then the query language and the update language are completely separated.

To protect against displaying unwanted information treat all user input as tainted and make sure tainted data is never used before being parsed, cleaned and properly escaped and copied to a clean variable.

Similarly you might consider only picking the data you expect from the response and return that for display.

Answer 2

One item to consider is that an LDAP bind with a Username (DN) but no password is considered an anonymous bind. Therefore should you test to see if the passed credentials can bind via LDAP to validate the user, if they pass a blank password, and you passed it through as is, you could let someone in incorrectly.

Answer 3

When constructing LDAP filters you must ensure that filter values are handled according to RFC2254:

Any control characters with an ACII code < 32 as well as the characters with special meaning in LDAP filters "*", "(", ")", and "\" (the backslash) are converted into the representation of a backslash followed by two hex digits representing the hexadecimal value of the character.

Zend_Ldap for example uses the following routine

//[...]
$val = str_replace(array('\\', '*', '(', ')'), array('\5c', '\2a', '\28', '\29'), $val);
for ($i = 0; $i<strlen($val); $i++) {
    $char = substr($val, $i, 1);
    if (ord($char)<32) {
        $hex = dechex(ord($char));
        if (strlen($hex) == 1) $hex = '0' . $hex;
        $val = str_replace($char, '\\' . $hex, $val);
    }
}
//[...]