EspoCRM Blind LDAP Injection Vulnerability

A blind LDAP injection vulnerability has been identified in EspoCRM versions 9.1.6 and earlier, when LDAP authentication is enabled. This vulnerability allows remote, unauthenticated attackers to manipulate LDAP queries by injecting crafted input with wildcard characters. Exploitation of this vulnerability could lead to bypassing authentication controls, enumerating valid usernames, or retrieving sensitive directory information, depending on the LDAP server configuration.

Impact

Exploitation of this vulnerability could allow an attacker to match valid usernames, brute-force user passwords through authentication attempts, attempt field enumeration (though this is limited by the lack of verbose error messages), or potentially cause a denial-of-service by sending resource-intensive LDAP queries against large directories.

Reproduction

To reproduce this vulnerability, log into an EspoCRM instance with LDAP authentication enabled. On the login page, enter a wildcard character in the username field. After submitting, the injected wildcard will manipulate the LDAP query, allowing the injection of additional characters or patterns to exploit the vulnerability further. For example, sending 'al*' will return the username 'alice' if it exists.

Remediation

Users can upgrade to EspoCRM version 9.1.7 or later, where this vulnerability has been fixed.