A paper and presentation making the rounds, claiming to show how webapps using
LDAP are vulnerable to search filter spoofing attacks.
Can't imagine that work like this gets peer-reviewed, because it's mostly
garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly
showing how filter manipulation can allow a webapp user to bypass LDAP-based
authentication. It's ridiculous drivel though, since LDAP-based authentication
uses Bind requests and not search filters. Most LDAP deployments don't even
give search/compare access to userPassword attributes in the first place.
Just in case anybody out there might be bitten by this info - client-enforced
security is no security at all. This is why slapd has such an extensive ACL
engine - you enforce access controls on the server, and then it doesn't matter
what kind of garbage requests your clients send to you, they can only ever
access information that they were allowed to access. This is also why the old
pam_ldap authorization scheme was such a bad idea, it relied on the LDAP
client (pam_ldap) to correctly implement authorization, instead of the server.
(Multiply that by hundreds or thousands of clients and you have an
unmanageable, insecurable mess.) This is why we have nssov today.
Of course, this is no excuse to be sloppy when writing your web apps. But if
you've configured ACLs to adequately protect your data, then it doesn't matter
how sloppy your clients are.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/