PHP's LDAP extension provides bindings to the C-based OpenLDAP library,
ldap_bind() function, to perform LDAP binds. The PHP-side function
takes an LDAP connection object, username (DN), and password string as
arguments, with its semantics being the same as the OpenLDAP
called with the
LDAP_AUTH_SIMPLE method argument.
PHP passes the PHP string arguments to the OpenLDAP C function — which expects
C-style null-terminated strings — by passing a pointer to the PHP string's value
data in memory. String values in PHP can contain arbitrary byte values,
including the null character (byte value
0x00). If an argument to PHP's
ldap_bind() contains such a null byte, no special action is taken, so from the
ldap_bind() function's point of view, such strings are truncated at
the first null byte.
Hence, an attacker can pass a string starting with a null byte as a password
when authenticating to an application that uses PHP's
ldap_bind(). This will, in
many cases, bypass the application's own check for a non-empty password (since
the string is non-empty from PHP's perspective), but still appear to be empty to
ldap_bind() function, leading to an unauthenticated bind being
performed against the application's intent. This allows an authentication
bypass, as the attacker can login as any given user without needing to know
their real LDAP password.
We used the PHP function
ldap_bind() in the
Zend\Ldap component of ZF2 and
Zend_Ldap class of ZF1.
We filtered the password input, removing null bytes, using the following code:
$password = str_replace("\0", '', $password);
This action sanitizes the password, preventing anonymous authentication.
The following releases contain the fixes:
If you are using an affected version of PHP, and utilizing the LDAP functionality from Zend Framework, we highly recommend upgrading immediately.
This vulnerability was originally reported in the PHP manual:
and in more general detail in the following report:
The vulnerability was patched within PHP's LDAP extension starting with PHP 5.5.12 and PHP 5.4.28. Prior versions remain vulnerable, which is what the patch associated with this advisory attempts addresses.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org