Skip to content

LDAP Injection via Unescaped User Input in oauth/index.php #118

Description

@itssherwin

Description
A critical LDAP injection vulnerability exists in the plugin’s login flow. Unsanitized user input is embedded directly into an LDAP search filter without proper escaping, allowing an attacker to manipulate the LDAP query structure.

The vulnerability originates in oauth/index.php, where user input is porly sanitized then passed to the LDAP->checkLogin() method. Inside LDAP.php, the filter is constructed like so:

index.php :

$user=strtolower(strip_tags(htmlspecialchars(trim($_POST['user']))));

ldap.php :

if ($ldap_filter != "" && $ldap_filter != null) {
    $search_filter = '(&(' . $ldap_search_attribute . '=' . $user . ')' . $ldap_filter .')';
} else {
    $search_filter = '(' . $ldap_search_attribute . '=' . $user . ')';
}

The $user value here is only stripped of HTML tags (strip_tags(htmlspecialchars(...))), which does not prevent LDAP special characters from being injected (e.g. )(objectClass=)).

To Reproduce

  1. Send a crafted POST request to /oauth/access_token with the user field containing special characters to break the LDAP filter.
  2. Example payload (pseudo):
    user=username)(|(cn=*))&password=example
  3. Observe the resulting LDAP query returning valid responses.

Expected behavior
Input should be properly escaped to prevent unintended LDAP query logic. The plugin should use ldap_escape($user, '', LDAP_ESCAPE_FILTER) before embedding user input into LDAP filters.

Screenshots
this is how the user input gets threated:

Image Image

Metadata

Metadata

Assignees

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions