CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Description

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Example Vulnerable Codes

Example - 1

The code below constructs an LDAP query using user input address data:


context = new InitialDirContext(env);String searchFilter = "StreetAddress=" + address;NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);

Because the code fails to neutralize the address string used to construct the query, an attacker can supply an address that includes additional LDAP queries.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Go to

Visit http://cwe.mitre.org/ for more details.