CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Description
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Example - 1
The code below constructs an LDAP query using user input address data:
context = new InitialDirContext(env);String searchFilter = "StreetAddress=" + address;NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);
Because the code fails to neutralize the address string used to construct the query, an attacker can supply an address that includes additional LDAP queries.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.