kwwall
commented
2 years ago After further discussion on PR #712 (q.v.), it was confirmed that this indeed is applicable for all LDAPv3 directory servers. Closed via PR #712.
Closed kwwall closed 2 years ago
kwwall
commented
2 years ago After further discussion on PR #712 (q.v.), it was confirmed that this indeed is applicable for all LDAPv3 directory servers. Closed via PR #712.
This issue was brought to the ESAPI team's attention by @noloader. He created PR #712 to address it.
Describe the Bug The ESAPI
Encoder'sencodeForLDAP()methods do not currently encode '/'. Active Directory seems to require this. They may be a potential that this could lead to LDAP Injection results or other security related problems if this is not done for LDAP searches against Active Directory.Details According to "Special Characters" mentioned in Reference [1], the following characters should be should escaped in Active Directory when part of an LDAP search:
Also see Reference [2].
However, note that '/' is is not mentioned in Reference [3], so this seems to be Active Directory specific.
The question is, can failing to properly encode '/' in LDAP searches made against Active Directory lead to security issues? If so, then how should we address it and still maintain backward compatibility with other LDAPv3 directory servers not named Active Directory?
References [2] Search Filter Syntax - Win32 Apps [2] Active Directory: Characters to Escape [3] RCF 2254 - Section 4