CRITICAL
Rule Definition
An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior.
If LDAP requests like these are used for login purposes, it could result in an authentication bypass. An attacker could write a filter that would evaluate to true for any user, and thus bruteforce credentials easily.
Remediation
Use ldap_escape to escape query result to the LDAP filter and DN.
Violation Code Sample
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
$username = $row["username"];
$result = ldap_search($DS, $BASEDN, "(&(username={$username})(memberOf={$ADMIN_GROUP}))", $LDAP_ATTRIBUTES); // VIOLATION
Fixed Code Sample
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
$username = $row["username"];
$username = ldap_escape($username); // ESCAPE STRING
$result = ldap_search($DS, $BASEDN, "(&(username={$username})(memberOf={$ADMIN_GROUP}))", $LDAP_ATTRIBUTES); // FIXED
Reference
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
https://cwe.mitre.org/data/definitions/90.html
Open Web Application Security Project (OWASP)
OWASP Top Ten 2017 Category A1:2017-Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
OWASP Top Ten 2021 Category A03:2021 - Injection
https://owasp.org/Top10/A03_2021-Injection/
Related Technologies
Technical Criterion
PCI-DSS4-Requirement-6.2.4 - Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.