Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: phpldapadmin "base" Cross-Site Scripting Vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 03 Feb 2012 01:48:52 -0700

On 02/02/2012 04:15 AM, Agostino Sarubbo wrote:
According to secunia advisory: 

Input passed via the "base" parameter to cmd.php (when "cmd" is set
to "query_engine") is not properly sanitised in lib/QueryRender.php
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in
context of an affected site.

The vulnerability is confirmed in version 1.2.2. Other versions may
also be affected.

Original Advisory: 

 Commit code: 

Ah our missing friend htmlspecialchars. Please use CVE-2012-0834 for
this issue.

Kurt Seifried Red Hat Security Response Team (SRT)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]