line 22: 


Set ldapObj =


Server.CreateObject("IPWorksASP.LDAP")


line 23: 


ldapObj.ServerName = LDAP_SERVER


line 24: 


ldapObj.DN =


"ou=people,dc=spilab,dc=com"


line 25:


line 26: 


 Setting the search filter


line 27: 


ldapObj.SearchFilter = filter


line 28:


line 29: 


ldapObj.Search


line 30:


line 31: 


 Showing the user information


line 32: 


While ldapObj.NextResult = 1


line 33: 


Response.Write("
")


line 34:


line 35: 


Response.Write("User


information for : " +


ldapObj.AttrValue(0) + "
")


line 36: 


For i = 0 To ldapObj.AttrCount  1


line 37: 


Response.Write("" +


ldapObj.AttrType(i) +


" : " + ldapObj.AttrValue(i) + "
" )


line 38: 


Next


line 39: 


Response.Write("
")


line 40: 


Wend


line 41: %>


line 42: 


line 43: 


Looking at the code, we see on line 10 that the userName variable is


initialized with the parameter user and then quickly validated to see


if the value is empty. If the value is not empty, the userName is used


to initialize the filter variable on line 18. This new variable is


directly used to construct an LDAP query that will be use in the call to


SearchFilter on line 27. In this scenario, the attacker has


32


Copyright 2004, Web Application Security Consortium. All rights reserved.






Unlimited Web Hosting






  

    
  

  

    
 
  

  

    
  

  

    
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved.