Non-encrypted confidential information - LDAP
Need
Secure storage and transmission of LDAP service credentials
Context
- Requirement of PHP 5.6 or later for running the application
- Usage of php-ldap for LDAP (Lightweight Directory Access Protocol) integration in PHP applications
Description
Non compliant code
<?php
$config = [
'host' => 'ldap.example.com',
'port' => '389',
'username' => 'admin',
'password' => 'password123'
];
$ldapconn = ldap_connect($config['host'], $config['port']);
if ($ldapconn) {
$ldapbind = ldap_bind($ldapconn, $config['username'], $config['password']);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
This PHP code is used to connect to an LDAP server. The LDAP server's host, port, username, and password are stored in an array named $config. This information is then used to establish a connection to the LDAP server using the ldap_connect() function. If the connection is successful, the ldap_bind() function is used to bind to the LDAP directory with the provided username and password.
The vulnerability in this code is that the LDAP service credentials are exposed in plain text. This means that anyone who has access to this code can see the username and password for the LDAP server. If this code is stored in a version control system, then the credentials are also stored in the version control history. This is a significant security risk as it could allow unauthorized users to gain access to the LDAP server.
To fix this vulnerability, the credentials should be stored in a secure and encrypted form. Laravel has built-in functionality for this, such as environment variables and the config helper, which can be used to securely store and retrieve sensitive information.
Steps
- Remove the hard-coded credentials from the code.
- Store the credentials in a secure configuration file or use environment variables.
- Encrypt the configuration file or environment variables for added security.
- Use secure methods to retrieve and decrypt the credentials when needed.
- Ensure that the configuration file or environment variables are not included in the version control system.
Compliant code
<?php
$config = [
'host' => env('LDAP_HOST'),
'port' => env('LDAP_PORT'),
'username' => env('LDAP_USERNAME'),
'password' => env('LDAP_PASSWORD')
];
$ldapconn = ldap_connect($config['host'], $config['port']);
if ($ldapconn) {
$ldapbind = ldap_bind($ldapconn, $config['username'], $config['password']);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
The above code has been modified to remove the hard-coded LDAP service credentials. Instead of directly writing the credentials in the code, we are now retrieving them from environment variables. This is done using Laravel's env() function, which retrieves the value of an environment variable.
The environment variables LDAP_HOST, LDAP_PORT, LDAP_USERNAME, and LDAP_PASSWORD should be defined in your application's .env file, which is not included in the version control system. This file should be kept secure and access to it should be restricted.
LDAP_HOST=ldap.example.com
LDAP_PORT=389
LDAP_USERNAME=admin
LDAP_PASSWORD=password123
This way, the credentials are not exposed in the code and are kept secure. If you want to add an extra layer of security, you can encrypt the values of these environment variables and then decrypt them when you retrieve them.
Remember to never include the .env file in the version control system to prevent exposing sensitive information.