Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws
From: Roland Gruber <post () rolandgruber de>
Date: Mon, 12 Mar 2012 23:02:20 +0100

Hi all,

On 12.03.2012 12:18, Jan Lieskovsky wrote:
Can we consider the CVE-2012-1114, CVE-2012-1115
identifiers below to be valid also for phpLDAPAdmin code?

yes.

Roland, could you clarify, if phpLDAPAdmin code would be vulnerable
to all issues listed for LDAP Account Manager too or if phpLDAPAdmin
would be vulnerable only for XSS issues when processing:
i)   'export', 
ii)  'add_value_form'
iii)  and 'dn' variables?

phpLDAPadmin is vulnerable to i, ii and iii.

And LDAP Account Manager would be vulnerable yet to additional
XSS flaws, due improper sanitization of 'filteruid', 'type',
and 'cmd' variables? (and these would be LDAP Account Manager
specific)

Regarding the filteruid problem I cannot reproduce this. The variable is properly sanitized.
This is a LAM only thing.


-- 

Best regards

Roland


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault