Search code examples
coldfusioncoldfusion-10cfqueryparam

Does cfldap allow cfqueryparam?

I want to prevent SQL injection attacks. We have a form that asks for the user's AD username and password. Then our processing code looks something like this:

<cfldap name="ldap_result" action="query" server="999.999.999.999" 
attributes="userprincipalname,title,samaccountname,sn,name,mail,cn" 
filter="(&(objectclass=user)(sAMAccountName=#form.username#))"
start="dc=us,dc=company,dc=lan"
scope="subtree"
username="US\#form.username#" 
password="#form.password#">

I would never run a query with user input without cfqueryparam (to wrap the username and password inputs), but is something like that even available to cfldap? (We're on CF10 if that makes a difference.)

UPDATE:

To clarify, when I tried this, I got the following error:

Attribute validation error for tag CFLDAP.It does not allow the attribute(s) CFSQLTYPE,VALUE.

Solution

  • No, you cannot use the cfqueryparam tag within your cfldap tag. The cfqueryparam is used specifically for SQL queries. You are thinking correctly though. NEVER TRUST USER INPUT

    The cfldap tag does give you some protection in and of itself.

    LDAP injection

    ColdFusion uses the <cfldap> tag to communicate with LDAP servers. This tag has an ACTION attribute that dictates the query performed against the LDAP. The valid values for this attribute are: add, delete, query (default), modify, and modifyDN. All <cfldap> calls are turned into JNDI (Java Naming And Directory Interface) lookups. However, because <cfldap> wraps the calls, it will throw syntax errors if native JNDI code is passed to its attributes, making LDAP injection more difficult.

    From page 14 of the ColdFusion 8 developer security guidelines which you should read if you have not done so already. It was written for ColdFusion 8 but much if not all of it is still relevant. There is an updated version of the document for ColdFusion 11 but it actually references the version 8 document as a reference as well.

    I would suggest that you go with a whitelist approach here. Your active directory has specific requirements for the username and password fields; only lowercase and uppercase letters, numbers, etc. Create a regular expression that checks the user input for those valid characters only. If either field contains anything else then deny the submission and do not run the cfldap call.