Description
A critical LDAP injection vulnerability exists in the plugin’s login flow. Unsanitized user input is embedded directly into an LDAP search filter without proper escaping, allowing an attacker to manipulate the LDAP query structure.
The vulnerability originates in oauth/index.php, where user input is porly sanitized then passed to the LDAP->checkLogin() method. Inside LDAP.php, the filter is constructed like so:
index.php :
$user=strtolower(strip_tags(htmlspecialchars(trim($_POST['user']))));
ldap.php :
if ($ldap_filter != "" && $ldap_filter != null) {
$search_filter = '(&(' . $ldap_search_attribute . '=' . $user . ')' . $ldap_filter .')';
} else {
$search_filter = '(' . $ldap_search_attribute . '=' . $user . ')';
}
The $user value here is only stripped of HTML tags (strip_tags(htmlspecialchars(...))), which does not prevent LDAP special characters from being injected (e.g. )(objectClass=)).
To Reproduce
- Send a crafted POST request to /oauth/access_token with the user field containing special characters to break the LDAP filter.
- Example payload (pseudo):
user=username)(|(cn=*))&password=example
- Observe the resulting LDAP query returning valid responses.
Expected behavior
Input should be properly escaped to prevent unintended LDAP query logic. The plugin should use ldap_escape($user, '', LDAP_ESCAPE_FILTER) before embedding user input into LDAP filters.
Screenshots
this is how the user input gets threated:

Description
A critical LDAP injection vulnerability exists in the plugin’s login flow. Unsanitized user input is embedded directly into an LDAP search filter without proper escaping, allowing an attacker to manipulate the LDAP query structure.
The vulnerability originates in oauth/index.php, where user input is porly sanitized then passed to the LDAP->checkLogin() method. Inside LDAP.php, the filter is constructed like so:
index.php :
ldap.php :
The $user value here is only stripped of HTML tags (strip_tags(htmlspecialchars(...))), which does not prevent LDAP special characters from being injected (e.g. )(objectClass=)).
To Reproduce
user=username)(|(cn=*))&password=example
Expected behavior
Input should be properly escaped to prevent unintended LDAP query logic. The plugin should use ldap_escape($user, '', LDAP_ESCAPE_FILTER) before embedding user input into LDAP filters.
Screenshots
this is how the user input gets threated: