Bug 799873 - (CVE-2012-1114, CVE-2012-1115) CVE-2012-1114 CVE-2012-1115 phpldapadmin: XSS flaws via 'export', 'add_value_form' and 'dn' variables
CVE-2012-1114 CVE-2012-1115 phpldapadmin: XSS flaws via 'export', 'add_value_...
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120303,repor...
: Security
Depends On: 799878 799891 799892
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-05 05:26 EST by Jan Lieskovsky
Modified: 2016-03-04 05:44 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-03-05 05:26:21 EST
Originally (2012-03-01), the following cross-site (XSS) flaws were reported against LDAP Account Manager Pro (from Secunia advisory [1]):
* 1) Input passed to e.g. the "filteruid" POST parameter when filtering result sets in lam/templates/lists/list.php (when "type" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

* 2) Input passed to the "filter" POST parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "export" and "exporter_id" is set to "LDIF") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

* 3) Input passed to the "attr" parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "add_value_form" and "dn" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

References:
[1] http://secunia.com/advisories/48221/
[2] http://www.vulnerability-lab.com/get_content.php?id=458

Later (2012-03-03), it was reported:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662050#15

that subset (for 'export', 'add_value_form', and 'dn' variables) of these security flaws is applicable also against the code of PhpLDAPadmin, a web-based LDAP client.

Patches from LDAP Account Manager, which are applicable to PphLDAPAdmin:
[4] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/lib/export_functions.php?r1=1.4&r2=1.5
[5] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/export.php?r1=1.1&r2=1.2
[6] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/add_value_form.php?r1=1.6&r2=1.7
Comment 1 Jan Lieskovsky 2012-03-05 05:38:58 EST
These issues affect the versions of the phpldapadmin package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

These issues affect the versions of the phpldapadmin package, as shipped with Fedora EPEL 6 and Fedora EPEL 5 (though the latter one might require the proposed patches above to be backported to older PhpLDAPAdmin version being present). Please schedule an update.
Comment 2 Jan Lieskovsky 2012-03-05 05:39:41 EST
CVE request:
[7] http://www.openwall.com/lists/oss-security/2012/03/05/12
Comment 3 Jan Lieskovsky 2012-03-05 05:42:33 EST
Created phpldapadmin tracking bugs for this issue

Affects: fedora-all [bug 799878]
Comment 4 Jan Lieskovsky 2012-03-05 06:04:40 EST
Created phpldapadmin tracking bugs for this issue

Affects: epel-6 [bug 799891]
Affects: epel-5 [bug 799892]
Comment 5 Dmitry Butskoy 2012-03-06 09:55:03 EST
It seems that the patches present perform fix for the bundled, reduced version in LDAP Account manager only. Better to ask upstream anyway.

Reported upstream, https://sourceforge.net/tracker/?func=detail&aid=3497660&group_id=61828&atid=498546

Note You need to log in before you can comment on or make changes to this bug.