ldap-account-manager current_language Pre-Auth Cross-Site-Scripting

2013-10-22 / 2013-10-23
Credit: Eric Sesterhenn
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2013-4453
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

=== Security Advisory === ldap-account-manager-4.3 - PreAuth XSS ------------------------------------------------------------ Affected Version ================ ldap-account-manager-4.3, ldap-account-manager-4.2.1 and possibly others Problem Overview ================ Technical Risk: medium Likelihood of Exploitation: medium Vendor: Debian / Roland Gruber Reported by: Eric Sesterhenn <snakebyte@gmx.de> Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory Status: Private Problem Impact ============== While taking a quick lock at the ldap account manager, a XSS issue has been found. It is possible to execute JavaScript in a victims' browser after tricking the victim to post certain data to the website. Problem Description =================== The file "./templates/login.php" contains an Cross-Site-Scripting Issue on line 122. When the parameter current_language is set to malicious input (e.g. foo%3A"><script>alert(1)</script>%3Abar) JavaScript is executed in the victims' browser. The parameter current_language is retrieved from $_SESSION['language'] in line 119, which is a copy of $_POST['language'] (line 117). Temporary Workaround and Fix ============================ Apply the following patch to properly encode the variable: --- templates/login.php.orig 2013-09-25 07:53:03.107208062 +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200 @@ -119,7 +119,7 @@ if (isset($_POST['language'])) { $current_language = explode(":",$_SESSION['language']); $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n"; $_SESSION['header'] .= "<html>\n<head>\n"; -$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n"; +$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . htmlentities($current_language[1]) . "\">\n"; $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">"; /** History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor notified -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726976
http://seclists.org/oss-sec/2013/q4/147


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top