[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Analyzing SQL/LDAP Injections in JBOSS/Hibernate
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Analyzing SQL/LDAP Injections in JBOSS/Hibernate
- From: "Andres Molinetti" <andymolinetti@xxxxxxxxxxx>
- Date: Wed, 03 May 2006 17:52:48 +0000
Dear list,
I am working on some Java code reviews and was looking for injection vectors
that may apply on it.
I know that this is not the most suitable place to post this subject, but
the WebAppsec* related lists weren't very helpful.
Take for example the following code:
---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id");
Map parameters = new HashMap();
parameters.put("userid", userID);
query.setParameters(parameters);
List list = Repository.select(query);
...
}
----------------------
That piece of code interacts with Hibernate to get a list of user objects
with that ID from a relational DB. Here is the extract of the HBM mapping
file:
--------------------
<property name="userID" type="string" length="15" column="USER_ID"/>
....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------
I am wondering if this represents vulnerable code, exploited by, for
example, calling getUsers("' or '1'='1") or something of the sort.
Second, suppose the application interacts with an LDAP server, using the
following code:
------------------------------------
public boolean checkUser(String userID) {
boolean result = false;
Attributes srchAttrs = new BasicAttributes(true);
String [] resAttrsID = {"uid"};
searchAttrs.put("uid", userID);
Enumeration srchResults = null;
srchResults = ctx.search(LDAP.getBranch(), srchAttrs,
resAttrsID);
if((srchResults != null) && (srchResults.hasMoreElements() ==
true))
result = true;
result = false;
}
------------------------------------
Is this function vulnerable to LDAP Injection?
Looking foward to reading your opinions....
Andy.
_________________________________________________________________
Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con
MSN Entretenimiento. http://entretenimiento.msn.es/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/