Bug 799873 (CVE-2012-1114, CVE-2012-1115) - CVE-2012-1114 CVE-2012-1115 phpldapadmin: XSS flaws via 'export', 'add_value_form' and 'dn' variables
Summary: CVE-2012-1114 CVE-2012-1115 phpldapadmin: XSS flaws via 'export', 'add_value_...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2012-1114, CVE-2012-1115
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 799878 799891 799892
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-05 10:26 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:09:00 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-03-05 10:26:21 UTC
Originally (2012-03-01), the following cross-site (XSS) flaws were reported against LDAP Account Manager Pro (from Secunia advisory [1]):
* 1) Input passed to e.g. the "filteruid" POST parameter when filtering result sets in lam/templates/lists/list.php (when "type" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

* 2) Input passed to the "filter" POST parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "export" and "exporter_id" is set to "LDIF") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

* 3) Input passed to the "attr" parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "add_value_form" and "dn" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

References:
[1] http://secunia.com/advisories/48221/
[2] http://www.vulnerability-lab.com/get_content.php?id=458

Later (2012-03-03), it was reported:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662050#15

that subset (for 'export', 'add_value_form', and 'dn' variables) of these security flaws is applicable also against the code of PhpLDAPadmin, a web-based LDAP client.

Patches from LDAP Account Manager, which are applicable to PphLDAPAdmin:
[4] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/lib/export_functions.php?r1=1.4&r2=1.5
[5] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/export.php?r1=1.1&r2=1.2
[6] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/add_value_form.php?r1=1.6&r2=1.7

Comment 1 Jan Lieskovsky 2012-03-05 10:38:58 UTC
These issues affect the versions of the phpldapadmin package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

These issues affect the versions of the phpldapadmin package, as shipped with Fedora EPEL 6 and Fedora EPEL 5 (though the latter one might require the proposed patches above to be backported to older PhpLDAPAdmin version being present). Please schedule an update.

Comment 2 Jan Lieskovsky 2012-03-05 10:39:41 UTC
CVE request:
[7] http://www.openwall.com/lists/oss-security/2012/03/05/12

Comment 3 Jan Lieskovsky 2012-03-05 10:42:33 UTC
Created phpldapadmin tracking bugs for this issue

Affects: fedora-all [bug 799878]

Comment 4 Jan Lieskovsky 2012-03-05 11:04:40 UTC
Created phpldapadmin tracking bugs for this issue

Affects: epel-6 [bug 799891]
Affects: epel-5 [bug 799892]

Comment 5 Dmitry Butskoy 2012-03-06 14:55:03 UTC
It seems that the patches present perform fix for the bundled, reduced version in LDAP Account manager only. Better to ask upstream anyway.

Reported upstream, https://sourceforge.net/tracker/?func=detail&aid=3497660&group_id=61828&atid=498546

Comment 6 Product Security DevOps Team 2019-07-12 13:09:00 UTC
ARRAY(0x558ebe07a840)


Note You need to log in before you can comment on or make changes to this bug.