Full Disclosure mailing list archives
Analyzing SQL/LDAP Injections in JBOSS/Hibernate
From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Wed, 03 May 2006 17:52:48 +0000
Dear list,I am working on some Java code reviews and was looking for injection vectors that may apply on it.
I know that this is not the most suitable place to post this subject, but the WebAppsec* related lists weren't very helpful.
Take for example the following code: --------------------- public User getUsers(String userID) { ... NamedQuery query = new NamedQuery(User.class, "user.view.by.id"); Map parameters = new HashMap(); parameters.put("userid", userID); query.setParameters(parameters); List list = Repository.select(query); ... } ----------------------That piece of code interacts with Hibernate to get a list of user objects with that ID from a relational DB. Here is the extract of the HBM mapping file:
-------------------- <property name="userID" type="string" length="15" column="USER_ID"/> .... <query name="user.view.by.id"><![CDATA[ from com.test.user as userX where userID = :userid ]]> </query> --------------------I am wondering if this represents vulnerable code, exploited by, for example, calling getUsers("' or '1'='1") or something of the sort.
Second, suppose the application interacts with an LDAP server, using the following code:
------------------------------------ public boolean checkUser(String userID) { boolean result = false; Attributes srchAttrs = new BasicAttributes(true); String [] resAttrsID = {"uid"}; searchAttrs.put("uid", userID); Enumeration srchResults = null;srchResults = ctx.search(LDAP.getBranch(), srchAttrs, resAttrsID); if((srchResults != null) && (srchResults.hasMoreElements() == true))
result = true; result = false; } ------------------------------------ Is this function vulnerable to LDAP Injection? Looking foward to reading your opinions.... Andy. _________________________________________________________________Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con MSN Entretenimiento. http://entretenimiento.msn.es/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Analyzing SQL/LDAP Injections in JBOSS/Hibernate Andres Molinetti (May 03)