Expected Findings
- Filter is built with `(uid=` + user input + `)` and no escaping.
- `*)(uid=*` matches every user.
- Login endpoint uses the same code path with the same flaw.
Directory Lookup
LDAP Injection
The directory search builds the LDAP filter by string concatenation, so attacker-controlled parentheses turn user lookup into a wildcard.
CWE-90
LDAP probe
Primary Flows
- Wildcard match Returns every user
- Auth bypass Bypass via filter manipulation
Signals
Filter
filter = "(uid=" + req.uid + ")"