Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Unauthenticated Authentication: Null Bytes and the Affect on Web-based
Sunday, January 1, 2006
This paper describes a vulnerability that may affect web-based applications that insecurely implement LDAP simple binds for the authentication of users. Web-based applications that fail to properly sanitize a user-submitted username and password may be vulnerable. Successful exploitation may allow for a remote anonymous user to authenticate to the web-based application as any existing user. The exploits described in this paper are most closely related to the Poison NULL byte attacks described in 1999 by Rain Forest Puppy, although utilized for a new purpose .