[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Java SQL/LDAP Injections

From: "Andres Molinetti" <andymolinetti@xxxxxxxxxxx>
Subject: [WEB SECURITY] Java SQL/LDAP Injections
Date: Mon, 24 Apr 2006 19:14:12 +0000

Dear list,

I am working on some Java code reviews and was looking for injection vectors that may apply on it.

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------

That piece of code interacts with Hibernate to get a list of user objects with that ID from a relational DB. Here is the extract of the HBM mapping file:

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------

I am wondering if this represents vulnerable code, exploited by, for example, calling getUsers("' or '1'='1") or something of the sort.

Second, suppose the application interacts with an LDAP server, using the following code:

------------------------------------
public boolean checkUser(String userID) {

           boolean result = false;
           Attributes srchAttrs = new BasicAttributes(true);
           String [] resAttrsID = {"uid"};

           searchAttrs.put("uid", userID);
           Enumeration srchResults = null;

srchResults = ctx.search(LDAP.getBranch(), srchAttrs, resAttrsID); if((srchResults != null) && (srchResults.hasMoreElements() == true)) result = true;

           result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________ Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Prev by Date: [WEB SECURITY] Java application security resources
Next by Date: [WEB SECURITY] Fundamental error in Corsaire's paper?
Previous by thread: [WEB SECURITY] Java application security resources
Next by thread: [WEB SECURITY] Fundamental error in Corsaire's paper?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org