mailing list archives
Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws
From: Roland Gruber <post () rolandgruber de>
Date: Mon, 12 Mar 2012 23:02:20 +0100
On 12.03.2012 12:18, Jan Lieskovsky wrote:
Can we consider the CVE-2012-1114, CVE-2012-1115
identifiers below to be valid also for phpLDAPAdmin code?
Roland, could you clarify, if phpLDAPAdmin code would be vulnerable
to all issues listed for LDAP Account Manager too or if phpLDAPAdmin
would be vulnerable only for XSS issues when processing:
iii) and 'dn' variables?
phpLDAPadmin is vulnerable to i, ii and iii.
And LDAP Account Manager would be vulnerable yet to additional
XSS flaws, due improper sanitization of 'filteruid', 'type',
and 'cmd' variables? (and these would be LDAP Account Manager
Regarding the filteruid problem I cannot reproduce this. The variable is properly sanitized.
This is a LAM only thing.