CRITICAL
Rule Definition
An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior.
If LDAP requests like these are used for login purposes, it could result in an authentication bypass. An attacker could write a filter that would evaluate to true for any user, and thus bruteforce credentials easily.
Remediation
Use ldap_escape to escape user input to the LDAP filter and DN.
Violation Code Sample
<?php
$ds = ldap_connect('example.com');
$dn = 'o=Psalm, c=US';
$filter = $_GET['filter']);
ldap_search($ds, $dn, $filter, []); // VIOLATION
Fixed Code Sample
<?php
$ds = ldap_connect('example.com');
$dn = 'o=Psalm, c=US';
$filter = $_GET['filter'];
$filter = ldap_escape($filter); // ESCAPE STRING
ldap_search($ds, $dn, $filter, []); // FIXED
Reference
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
https://cwe.mitre.org/data/definitions/90.html
Open Web Application Security Project (OWASP)
OWASP Top Ten 2017 Category A1:2017-Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
OWASP Top Ten 2021 Category A03:2021 - Injection
https://owasp.org/Top10/A03_2021-Injection/
Related Technologies
Technical Criterion
CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.