lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY107-F11C61B93C8135262ED66E5B8B70@phx.gbl>
Date: Wed May  3 18:53:03 2006
From: andymolinetti at hotmail.com (Andres Molinetti)
Subject: Analyzing SQL/LDAP Injections in JBOSS/Hibernate

Dear list,

I am working on some Java code reviews and was looking for injection vectors 
that may apply on it.

I know that this is not the most suitable place to post this subject, but 
the WebAppsec* related lists weren't very helpful.

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------


That piece of code interacts with Hibernate to get a list of user objects 
with that ID from a relational DB. Here is the extract of the HBM mapping 
file:

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------

I am wondering if this represents vulnerable code, exploited by, for 
example, calling getUsers("' or '1'='1") or something of the sort.

Second, suppose the application interacts with an LDAP server, using the 
following code:

------------------------------------
public boolean checkUser(String userID) {

           boolean result = false;
           Attributes srchAttrs = new BasicAttributes(true);
           String [] resAttrsID = {"uid"};

           searchAttrs.put("uid", userID);
           Enumeration srchResults = null;

           srchResults = ctx.search(LDAP.getBranch(), srchAttrs, 
resAttrsID);
           if((srchResults != null) && (srchResults.hasMoreElements() == 
true))
               result = true;

           result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________
Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con 
MSN Entretenimiento. http://entretenimiento.msn.es/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ