Full Disclosure mailing list archives
JAVA SQL/LDAP Injections
From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Wed, 03 May 2006 16:14:51 +0000
Dear list,I am working on some Java code reviews and was looking for injection vectors that may apply on it.
Take for example the following code: --------------------- public User getUsers(String userID) { ... NamedQuery query = new NamedQuery(User.class, "user.view.by.id"); Map parameters = new HashMap(); parameters.put("userid", userID); query.setParameters(parameters); List list = Repository.select(query); ... } ----------------------That piece of code interacts with Hibernate to get a list of user objects with that ID from a relational DB. Here is the extract of the HBM mapping file:
-------------------- <property name="userID" type="string" length="15" column="USER_ID"/> .... <query name="user.view.by.id"><![CDATA[ from com.test.user as userX where userID = :userid ]]> </query> --------------------I am wondering if this represents vulnerable code, exploited by, for example, calling getUsers("' or '1'='1") or something of the sort.
Second, suppose the application interacts with an LDAP server, using the following code:
------------------------------------ public boolean checkUser(String userID) { boolean result = false; Attributes srchAttrs = new BasicAttributes(true); String [] resAttrsID = {"uid"}; searchAttrs.put("uid", userID); Enumeration srchResults = null;srchResults = ctx.search(LDAP.getBranch(), srchAttrs, resAttrsID); if((srchResults != null) && (srchResults.hasMoreElements() == true))
result = true; result = false; } ------------------------------------ Is this function vulnerable to LDAP Injection? Looking foward to reading your opinions.... Andy. _________________________________________________________________Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- JAVA SQL/LDAP Injections Andres Molinetti (May 03)