Package: ldap-account-manager Version: 4.3 Severity: grave Tags: security Justification: user security hole
=== Security Advisory === ldap-account-manager-4.3 - PreAuth XSS ------------------------------------------------------------ Affected Version ================ ldap-account-manager-4.3, ldap-account-manager-4.2.1 and possibly others Problem Overview ================ Technical Risk: medium Likelihood of Exploitation: medium Vendor: Debian / Roland Gruber Reported by: Eric Sesterhenn <snakeb...@gmx.de> Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory Status: Private Problem Impact ============== While taking a quick lock at the ldap account manager, a XSS issue has been found. It is possible to execute JavaScript in a victims' browser after tricking the victim to post certain data to the website. Problem Description =================== The file "./templates/login.php" contains an Cross-Site-Scripting Issue on line 122. When the parameter current_language is set to malicious input (e.g. foo%3A"><script>alert(1)</script>%3Abar) JavaScript is executed in the victims' browser. The parameter current_language is retrieved from $_SESSION['language'] in line 119, which is a copy of $_POST['language'] (line 117). Temporary Workaround and Fix ============================ Apply the following patch to properly encode the variable: --- templates/login.php.orig 2013-09-25 07:53:03.107208062 +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200 @@ -119,7 +119,7 @@ if (isset($_POST['language'])) { $current_language = explode(":",$_SESSION['language']); $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n"; $_SESSION['header'] .= "<html>\n<head>\n"; -$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n"; +$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . htmlentities($current_language[1]) . "\">\n"; $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">"; /** History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor notified -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org