XSS phpLDAPadmin: 18.104.22.168 (Debian package) and 1.2.2 (sourceforge)
- From: andsarmiento@xxxxxxxxx
- Date: Tue, 31 Jan 2012 18:54:35 GMT
Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously coordinate with the Cert-US in order they contact with Sourceforge and Debian, but receive they was unable to put in contact with them.
The first discover was on January 10 for 1.1.6 version, where after noticed that the same vulnerability was discover previously. For that reason I tested later for version 1.2.2 (sourceforge) and 22.214.171.124 (Debian package).
More reference: see the files attached
On January 24 I contacted to sourceforge and appear they fix the package but still persistence on debian packages.
Fix from sourceforge:
phpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multilanguage administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location.
1.- Version 1.2.2 from Sourceforge package:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz/download
Exploitables URI's: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=?&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search
Exploitable variable: base
Results: XSS passing through "base" variable.
2.- Version 126.96.36.199 from debian (testing and unstable repositories)
Depends: apache2 | httpd, php5-ldap, libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0
Exploitable Variable: server_id
Results: XSS passing through "server_id" variable.
Impact: Remote attackers might be able to perform Cross-Site Scripting (XSS) attacks by various vectors.
Thanks in advance for your comments
- Prev by Date: ESA-2012-009: EMC Documentum Content Server privilege elevation vulnerability
- Next by Date: [ MDVSA-2012:012 ] apache
- Previous by thread: ESA-2012-009: EMC Documentum Content Server privilege elevation vulnerability
- Next by thread: [ MDVSA-2012:012 ] apache