Php Ldap Search Injection
Description
LDAP injection vulnerability in PHP occurs when untrusted user input is used directly in LDAP search filters without proper sanitization. An attacker can manipulate LDAP search queries to bypass authentication or access unauthorized information by injecting special characters and LDAP operators.
Detection Strategy
• Identifies calls to PHP's ldap_search() function in the codebase
• Verifies the function call has at least 3 arguments (connection, base DN, and search filter)
• Analyzes the third argument (search filter) to check if it contains unsanitized user input or dangerous data sources
• Reports a vulnerability when the LDAP search filter contains data that could be controlled by an attacker
Vulnerable code example
<?php
$ldap_conn = ldap_connect("ldap.example.com");
$username = $_POST['username'];
// VULNERABLE: Direct concatenation of user input in LDAP filter
$filter = "(uid=" . $username . ")";
$result = ldap_search($ldap_conn, "dc=example,dc=com", $filter);
...✅ Secure code example
<?php
$ldap_conn = ldap_connect("ldap.example.com");
$username = $_POST['username'];
// Secure: Escape user input to prevent LDAP injection attacks
$safe_username = ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$filter = "(uid=" . $safe_username . ")";
$result = ldap_search($ldap_conn, "dc=example,dc=com", $filter);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.