Bug 786821 (CVE-2012-0834) - CVE-2012-0834 phpldapadmin: XSS flaw due improper sanitization of 'base' variable
Summary: CVE-2012-0834 phpldapadmin: XSS flaw due improper sanitization of 'base' vari...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-0834
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20120123,repor...
Depends On: 786823 786824
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-02 13:56 UTC by Jan Lieskovsky
Modified: 2019-07-12 13:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:08:59 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-02-02 13:56:04 UTC
An improper input sanitization flaw was found in the way phpldapadmin, a web-based tool for managing of LDAP servers, performed sanitization of the 'base' variable (intended to contain LDAP base DN) prior displaying the LDAP search query results back to the requester. A remote attacker could provide a specially-crafted URL, which once visited by an unsuspecting, authenticated phpldapadmin user could lead to arbitary HTML or web script execution.

References:
[1] https://secunia.com/advisories/47852/
[2] https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546
    (upstream bug report)
[3] http://www.openwall.com/lists/oss-security/2012/02/02/9
    (CVE request)

Relevant upstream patch:
[4] http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f103220457bd

Comment 1 Jan Lieskovsky 2012-02-02 13:58:33 UTC
This issue did NOT affect the versions of the phpldapadmin package, as shipped with Fedora EPEL 4 and Fedora EPEL 5 releases.

--

This issue affects the version of the phpldapadmin package, as shipped with Fedora EPEL 6 release. Please schedule an update.

--

This issue affects the versions of the phpldapadmin package, as shipped with Fedora release of 15 and 16. Please schedule an update.

Comment 2 Jan Lieskovsky 2012-02-02 13:59:33 UTC
Created phpldapadmin tracking bugs for this issue

Affects: epel-6 [bug 786823]
Affects: fedora-all [bug 786824]

Comment 3 Kurt Seifried 2012-02-03 08:53:26 UTC
Assigned CVE-2012-0834 as per http://www.openwall.com/lists/oss-security/2012/02/03/3

Comment 4 Fedora Update System 2012-02-14 08:59:29 UTC
phpldapadmin-1.2.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2012-02-14 09:02:02 UTC
phpldapadmin-1.2.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Product Security DevOps Team 2019-07-12 13:08:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2012-0834


Note You need to log in before you can comment on or make changes to this bug.