|
|
|
|
CWE-90 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 90 (Weakness Base) | | Description | Summary The software does not
sufficiently sanitize special elements that
are used in LDAP queries or responses, allowing attackers to modify the syntax, contents, or
commands of the LDAP query before it is executed. | | Potential Mitigations | Assume all input is malicious. Use an appropriate combination of black lists
and white lists to filter or quote LDAP syntax from user-controlled input.
| | Context Notes | Factors: resultant to special character mismanagement, MAID, or blacklist/whitelist
problems. Can be primary to authentication and verification errors. | | Research Gaps | Under-reported. This is likely found very frequently by third party code auditors, but
there are very few publicly reported examples. | | References | SPI Dynamics.
"Web Applications and LDAP Injection". | | Relationships | | | Source Taxonomies | PLOVER - LDAP injection | | Applicable Platforms | All |
|