PHP's LDAP extension provides bindings to the C-based OpenLDAP library,
including the ldap_bind()
function, to perform LDAP binds. The PHP-side function
takes an LDAP connection object, username (DN), and password string as
arguments, with its semantics being the same as the OpenLDAP ldap_bind()
function
called with the LDAP_AUTH_SIMPLE
method argument.
PHP passes the PHP string arguments to the OpenLDAP C function — which expects
C-style null-terminated strings — by passing a pointer to the PHP string's value
data in memory. String values in PHP can contain arbitrary byte values,
including the null character (byte value 0x00
). If an argument to PHP's
ldap_bind()
contains such a null byte, no special action is taken, so from the
OpenLDAP C ldap_bind()
function's point of view, such strings are truncated at
the first null byte.
Hence, an attacker can pass a string starting with a null byte as a password
when authenticating to an application that uses PHP's ldap_bind()
. This will, in
many cases, bypass the application's own check for a non-empty password (since
the string is non-empty from PHP's perspective), but still appear to be empty to
the OpenLDAP ldap_bind()
function, leading to an unauthenticated bind being
performed against the application's intent. This allows an authentication
bypass, as the attacker can login as any given user without needing to know
their real LDAP password.
We used the PHP function ldap_bind()
in the Zend\Ldap
component of ZF2 and
in the Zend_Ldap
class of ZF1.
We filtered the password input, removing null bytes, using the following code:
$password = str_replace("\0", '', $password);
This action sanitizes the password, preventing anonymous authentication.
The following releases contain the fixes:
If you are using an affected version of PHP, and utilizing the LDAP functionality from Zend Framework, we highly recommend upgrading immediately.
This vulnerability was originally reported in the PHP manual:
and in more general detail in the following report:
The vulnerability was patched within PHP's LDAP extension starting with PHP 5.5.12 and PHP 5.4.28. Prior versions remain vulnerable, which is what the patch associated with this advisory attempts addresses.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Released 2014-09-18
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com