Security

Security Advisory: ZF2014-05

ZF2014-05: Anonymous authentication in ldap_bind() function of PHP, using null byte

PHP's LDAP extension provides bindings to the C-based OpenLDAP library, including the ldap_bind() function, to perform LDAP binds. The PHP-side function takes an LDAP connection object, username (DN), and password string as arguments, with its semantics being the same as the OpenLDAP ldap_bind() function called with the LDAP_AUTH_SIMPLE method argument.

PHP passes the PHP string arguments to the OpenLDAP C function — which expects C-style null-terminated strings — by passing a pointer to the PHP string's value data in memory. String values in PHP can contain arbitrary byte values, including the null character (byte value 0x00). If an argument to PHP's ldap_bind() contains such a null byte, no special action is taken, so from the OpenLDAP C ldap_bind() function's point of view, such strings are truncated at the first null byte.

Hence, an attacker can pass a string starting with a null byte as a password when authenticating to an application that uses PHP's ldap_bind(). This will, in many cases, bypass the application's own check for a non-empty password (since the string is non-empty from PHP's perspective), but still appear to be empty to the OpenLDAP ldap_bind() function, leading to an unauthenticated bind being performed against the application's intent. This allows an authentication bypass, as the attacker can login as any given user without needing to know their real LDAP password.

We used the PHP function ldap_bind() in the Zend\Ldap component of ZF2 and in the Zend_Ldap class of ZF1.

Action Taken

We filtered the password input, removing null bytes, using the following code:

$password = str_replace("\0", '', $password);

This action sanitizes the password, preventing anonymous authentication.

The following releases contain the fixes:

  • Zend Framework 1.12.9
  • Zend Framework 2.2.8
  • Zend Framework 2.3.3

If you are using an affected version of PHP, and utilizing the LDAP functionality from Zend Framework, we highly recommend upgrading immediately.

Other Information

This vulnerability was originally reported in the PHP manual:

and in more general detail in the following report:

The vulnerability was patched within PHP's LDAP extension starting with PHP 5.5.12 and PHP 5.4.28. Prior versions remain vulnerable, which is what the patch associated with this advisory attempts addresses.

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Matthew Daley, who discovered and reported the issue in Zend\Ldap component of ZF2;
  • Enrico Zimuel, who provided the patch.

Released 2014-09-18

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts