<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            


					
            
						
            
													
							
            
							   LDAP Manipulation
							
            
							
            ABSTRACT
            
							
            
							  執行一個 LDAP 指令,該指令包含了由用戶控制的數值字符串,且使用濾字符串以外的字符,這可能會使攻擊者改變指令的含義或執行非法 LDAP 命令。
							
            
							
            EXPLANATION
            
							
            
							  LDAP manipulation 錯誤在以下情況中出現:

            1.	數據從一個不可信賴的數據源進入程序。

            2.	數據在一個動態 LDAP 指令的濾字符串之外使用。 

            例 1:以下代碼從一個 HTTP 請求里讀取用戶名和密碼,并且使用它去執行 LDAP 查詢。 


            env.put(Context.SECURITY_AUTHENTICATION, "none");
            DirContext ctx = new InitialDirContext(env);

            String empID = request.getParameter("empID");

            try
            {
            BasicAttribute attr = new BasicAttribute("empID", empID);

            NamingEnumeration employee = 
            ctx.search("ou=People,dc=example,dc=com",attr);  
            ...


            因為該查詢包含用戶輸入,且會在匿名綁定下執行,因此,該查詢會返回所有指定用戶名的詳細信息,而不會考慮其密碼是否與指定密碼相匹配。攻擊者可以有效使用以下代碼查詢系統中任意雇員的詳細信息,這是一個嚴重的 privacy violation。問題在于開發人員沒能充分利用適當的 access control 機制來限制查詢,使查詢只能讀取那些允許當前用戶讀取的雇員記錄。
							
            
							 								
            REFERENCES
            
																								   
            [1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input 
            
																									   
            [2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control 
            
																									   
            [3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference 
            
																									   
            [4] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References 
            
																									   
            [5] Standards Mapping - FIPS200 - (FISMA) AC 
            
																									   
            [6] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I 
            
																									   
            [7] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3510 CAT I 
            
																									   
            [8] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 639 
            
																									   
            [9] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 90 
            
																									   
            [10] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116 
            
																									   
            [11] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization 
            
																									   
            [12] Standards Mapping - SANS Top 25 2011 - (SANS Top 25 2011) Porous Defenses - CWE ID 863 
            
																									   
            [13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1 
            
																									   
            [14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1 
            
																									   
            [15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2 
            
																									   
            [16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4 
            
																									   
            [17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8 
            
																									   
            [18] Standards Mapping - FIPS200 - (FISMA) SI 
            
																														
            
							
            
							
            
							
            
							Copyright 2013 Fortify Software - All rights reserved.
							
            
							(Generated from version 2013.1.1.0008 of the Fortify Secure Coding Rulepacks)
							
            
							desc.dataflow.java.ldap_manipulation
							
            
							
            
						
            

            <span id="7ztzv"></span>
            <sub id="7ztzv"></sub>
            

            <span id="7ztzv"></span><form id="7ztzv"></form>
            

            <span id="7ztzv"></span>
              

                

                  <address id="7ztzv"></address>
                      

亚洲欧美在线