Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

JAVA SQL/LDAP Injections

From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Wed, 03 May 2006 16:14:51 +0000
Dear list,
I am working on some Java code reviews and was looking for injection vectors that may apply on it. 

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------
That piece of code interacts with Hibernate to get a list of user objects with that ID from a relational DB. Here is the extract of the HBM mapping file: 

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------
I am wondering if this represents vulnerable code, exploited by, for example, calling getUsers("' or '1'='1") or something of the sort.
Second, suppose the application interacts with an LDAP server, using the following code: 

------------------------------------
public boolean checkUser(String userID) {

          boolean result = false;
          Attributes srchAttrs = new BasicAttributes(true);
          String [] resAttrsID = {"uid"};

          searchAttrs.put("uid", userID);
          Enumeration srchResults = null;
srchResults = ctx.search(LDAP.getBranch(), srchAttrs, resAttrsID); if((srchResults != null) && (srchResults.hasMoreElements() == true)) 
              result = true;

          result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________
Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: