ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
This issue was brought to the ESAPI team's attention by @noloader. He created PR #712 to address it.
Describe the Bug
The ESAPI Encoder's encodeForLDAP() methods do not currently encode '/'. Active Directory seems to require this. They may be a potential that this could lead to LDAP Injection results or other security related problems if this is not done for LDAP searches against Active Directory.
Details
According to "Special Characters" mentioned in Reference [1], the following characters should be should escaped in Active Directory when part of an LDAP search:
'*', '(', ')', '\', '/', NUL
Also see Reference [2].
However, note that '/' is is not mentioned in Reference [3], so this seems to be Active Directory specific.
The question is, can failing to properly encode '/' in LDAP searches made against Active Directory lead to security issues? If so, then how should we address it and still maintain backward compatibility with other LDAPv3 directory servers not named Active Directory?
This issue was brought to the ESAPI team's attention by @noloader. He created PR #712 to address it.
Describe the Bug The ESAPI
Encoder
'sencodeForLDAP()
methods do not currently encode '/'. Active Directory seems to require this. They may be a potential that this could lead to LDAP Injection results or other security related problems if this is not done for LDAP searches against Active Directory.Details According to "Special Characters" mentioned in Reference [1], the following characters should be should escaped in Active Directory when part of an LDAP search:
Also see Reference [2].
However, note that '/' is is not mentioned in Reference [3], so this seems to be Active Directory specific.
The question is, can failing to properly encode '/' in LDAP searches made against Active Directory lead to security issues? If so, then how should we address it and still maintain backward compatibility with other LDAPv3 directory servers not named Active Directory?
References [2] Search Filter Syntax - Win32 Apps [2] Active Directory: Characters to Escape [3] RCF 2254 - Section 4