SV.LDAP.ANON
Incorrect authentication
The SV.LDAP.ANON checker detects whether anonymous LDAP binding is used when connecting to an LDAP server.
Vulnerability and risk
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or with the ability to execute arbitrary code. Anonymous binding is an LDAP server function. Anonymous binding allows a client to connect and search the directory (bind and search) without logging in, because binddn and bindpasswd are not needed.
Vulnerable code example 1
// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
env.put(Context.SECURITY_AUTHENTICATION, "none"); // Using anonymous authentication
Klocwork reports an SV.LDAP.ANON defect on line 6, indicating, "Use of ldap authentication with anonymous bind can lead to successful authentication without password".
Fixed code example 1
// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
In this fixed example, Klocwork no longer reports a defect because a security authentication method is set on line 5 as "simple".
Vulnerable code example 2
DirContext ctx = new InitialDirContext(env);
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none");
// another way of using anonymous authentication
ctx.close();
Klocwork reports an SV.LDAP.ANON defect on line 2, indicating, "Use of ldap authentication with anonymous bind can lead to successful authentication without password".
Fixed code example 2
DirContext ctx = new InitialDirContext(env);
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.close();
In this fixed example, Klocwork no longer reports a defect because a security authentication method is set on line 2 as "simple".
External guidance
Security training
Application security training materials provided by Secure Code Warrior.