https://www.osisecurity.com.au/airwatch-self-service-portal-username-parameter-ldap-injection.html Date: 04-Apr-2017 Product: AirWatch Self Service MDM Versions affected: v6.1.x v6.4.x Vulnerability: LDAP injection Example: https://[target]/DeviceManagement/ URL accepts the following POST parameters: AuthenticationMode ActivationCode Username Password Login The 'Username' parameter appears to be vulnerable to an LDAP injection attack. A query of: *)(sn=* Takes a long time to complete (talking minutes), due to valid injection of an LDAP query which enumerates the entire LDAP directory. Other normal (or syntax invalid LDAP) requests are answered within seconds. Credit: Discovered by Patrick Webster Disclosure timeline: 20-Aug-2013 - Discovered during audit. 23-Aug-2013 - Reported to vendor. 26-Aug-2013 - Vendor acknowledged report. 09-Sep-2013 - Vendor confirmed. 15-Oct-2013 - Vendor released v6.5 including fix. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We provide internal and external penetration testing, vulnerability auditing and wireless site audits, vendor product assessments, secure network design, forensics and risk mitigation services. We can be found at http://www.osisecurity.com.au/