Prevent LDAP Entry Poisoning

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: java-security/ldap-entry-poisoning

Language: Java

Severity: Info

Category: Security

Description

JNDI API support the binding of serialize object in LDAP directories and can lead to remove code execution. Generally, object deserialization should be consider a risky operation that can lead to remote code execution. This exploitation has been demonstrated at Black Hat USA 2016.

Learn More

Non-Compliant Code Examples

class NotCompliant {
    public void myMethod() {
        DirContext ctx = new InitialDirContext();

        ctx.search(query, filter,
                new SearchControls(scope, countLimit, timeLimit, attributes,
                    true,
                    deref));
    }
}

Compliant Code Examples

class Compliant {
    public void myMethod() {
        DirContext ctx = new InitialDirContext();

        ctx.search(query, filter,
                new SearchControls(scope, countLimit, timeLimit, attributes,
                    false,
                    deref));
    }
}