Originally (2012-03-01), the following cross-site (XSS) flaws were reported against LDAP Account Manager Pro (from Secunia advisory [1]): * 1) Input passed to e.g. the "filteruid" POST parameter when filtering result sets in lam/templates/lists/list.php (when "type" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. * 2) Input passed to the "filter" POST parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "export" and "exporter_id" is set to "LDIF") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. * 3) Input passed to the "attr" parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "add_value_form" and "dn" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. References: [1] http://secunia.com/advisories/48221/ [2] http://www.vulnerability-lab.com/get_content.php?id=458 Later (2012-03-03), it was reported: [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662050#15 that subset (for 'export', 'add_value_form', and 'dn' variables) of these security flaws is applicable also against the code of PhpLDAPadmin, a web-based LDAP client. Patches from LDAP Account Manager, which are applicable to PphLDAPAdmin: [4] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/lib/export_functions.php?r1=1.4&r2=1.5 [5] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/export.php?r1=1.1&r2=1.2 [6] http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/add_value_form.php?r1=1.6&r2=1.7
These issues affect the versions of the phpldapadmin package, as shipped with Fedora release of 15 and 16. Please schedule an update. -- These issues affect the versions of the phpldapadmin package, as shipped with Fedora EPEL 6 and Fedora EPEL 5 (though the latter one might require the proposed patches above to be backported to older PhpLDAPAdmin version being present). Please schedule an update.
CVE request: [7] http://www.openwall.com/lists/oss-security/2012/03/05/12
Created phpldapadmin tracking bugs for this issue Affects: fedora-all [bug 799878]
Created phpldapadmin tracking bugs for this issue Affects: epel-6 [bug 799891] Affects: epel-5 [bug 799892]
It seems that the patches present perform fix for the bundled, reduced version in LDAP Account manager only. Better to ask upstream anyway. Reported upstream, https://sourceforge.net/tracker/?func=detail&aid=3497660&group_id=61828&atid=498546
ARRAY(0x558ebe07a840)