Bug 799873 (CVE-2012-1114, CVE-2012-1115)

Summary: CVE-2012-1114 CVE-2012-1115 phpldapadmin: XSS flaws via 'export', 'add_value_form' and 'dn' variables
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmitry
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120303,reported=20120303,source=debian,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,fedora-all/phpldapadmin=affected,epel-6/phpldapadmin=affected,epel-5/phpldapadmin=affected,cwe=CWE-79[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 799878, 799891, 799892    
Bug Blocks:    

Description Jan Lieskovsky 2012-03-05 05:26:21 EST
Originally (2012-03-01), the following cross-site (XSS) flaws were reported against LDAP Account Manager Pro (from Secunia advisory [1]):
* 1) Input passed to e.g. the "filteruid" POST parameter when filtering result sets in lam/templates/lists/list.php (when "type" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

* 2) Input passed to the "filter" POST parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "export" and "exporter_id" is set to "LDIF") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

* 3) Input passed to the "attr" parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "add_value_form" and "dn" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

References:
[1] http://secunia.com/advisories/48221/
[2] http://www.vulnerability-lab.com/get_content.php?id=458

Later (2012-03-03), it was reported:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662050#15

that subset (for 'export', 'add_value_form', and 'dn' variables) of these security flaws is applicable also against the code of PhpLDAPadmin, a web-based LDAP client.

Patches from LDAP Account Manager, which are applicable to PphLDAPAdmin:
[4] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/lib/export_functions.php?r1=1.4&r2=1.5
[5] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/export.php?r1=1.1&r2=1.2
[6] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/add_value_form.php?r1=1.6&r2=1.7
Comment 1 Jan Lieskovsky 2012-03-05 05:38:58 EST
These issues affect the versions of the phpldapadmin package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

These issues affect the versions of the phpldapadmin package, as shipped with Fedora EPEL 6 and Fedora EPEL 5 (though the latter one might require the proposed patches above to be backported to older PhpLDAPAdmin version being present). Please schedule an update.
Comment 2 Jan Lieskovsky 2012-03-05 05:39:41 EST
CVE request:
[7] http://www.openwall.com/lists/oss-security/2012/03/05/12
Comment 3 Jan Lieskovsky 2012-03-05 05:42:33 EST
Created phpldapadmin tracking bugs for this issue

Affects: fedora-all [bug 799878]
Comment 4 Jan Lieskovsky 2012-03-05 06:04:40 EST
Created phpldapadmin tracking bugs for this issue

Affects: epel-6 [bug 799891]
Affects: epel-5 [bug 799892]
Comment 5 Dmitry Butskoy 2012-03-06 09:55:03 EST
It seems that the patches present perform fix for the bundled, reduced version in LDAP Account manager only. Better to ask upstream anyway.

Reported upstream, https://sourceforge.net/tracker/?func=detail&aid=3497660&group_id=61828&atid=498546