Vigil@nce - ldapauth, ldapauth-fork: LDAP injection
November 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a LDAP injection of ldapauth or ldapauth-fork,
in order to read or alter data.
Impacted products: Node.js Modules not comprehensive.
Severity: 2/4.
Creation date: 21/09/2015.
DESCRIPTION OF THE VULNERABILITY
The ldapauth-fork product, forked from ldapauth, connects to a
LDAP directory.
However, user’s data are directly inserted in a LDAP query.
An attacker can therefore use a LDAP injection of ldapauth or
ldapauth-fork, in order to read or alter data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ldapauth-ldapauth-fork-LDAP-injection-17940