The North Carolina State University directory is very educational--not only does it use LDAP, but it has a "Show LDAP Query" feature :)
Here's a simple query for a last name beginning with "foo":
Here's the query it made, showing the simple syntax.
Here's a simple injection, a last name of
foo)(sn=
That shows the whole database:
I told NCSU about it and they patched it the same day--it looks like they did it with input filtering, removing parentheses.
They also said the system was set to allow reads but not writes from the LDAP form, which lowers the risk of this vulnerability.
Posted 1:10 PM 11-24-13 by Sam Bowne