-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Eric,
thank you very much for reporting this issue. There is a patch available now: https://sourceforge.net/p/lam/bugs/156/#a1dc Best regards Roland On 21.10.2013 08:49, Eric Sesterhenn wrote: > Package: ldap-account-manager Version: 4.3 Severity: grave Tags: > security Justification: user security hole > > === Security Advisory === > > ldap-account-manager-4.3 - PreAuth XSS > ------------------------------------------------------------ > > Affected Version ================ ldap-account-manager-4.3, > ldap-account-manager-4.2.1 and possibly others > > Problem Overview ================ Technical Risk: medium Likelihood > of Exploitation: medium Vendor: Debian / Roland Gruber Reported by: > Eric Sesterhenn <snakeb...@gmx.de> Advisory updates: > http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory > Status: Private > > Problem Impact ============== While taking a quick lock at the ldap > account manager, a XSS issue has been found. It is possible to > execute JavaScript in a victims' browser after tricking the victim > to post certain data to the website. > > > Problem Description =================== The file > "./templates/login.php" contains an Cross-Site-Scripting Issue on > line 122. When the parameter current_language is set to malicious > input (e.g. foo%3A"><script>alert(1)</script>%3Abar) JavaScript is > executed in the victims' browser. The parameter current_language is > retrieved from $_SESSION['language'] in line 119, which is a copy > of $_POST['language'] (line 117). > > > Temporary Workaround and Fix ============================ Apply the > following patch to properly encode the variable: > > --- templates/login.php.orig 2013-09-25 07:53:03.107208062 > +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200 > @@ -119,7 +119,7 @@ if (isset($_POST['language'])) { > $current_language = explode(":",$_SESSION['language']); > $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML > 4.01 Transitional//EN\" > \"http://www.w3.org/TR/html4/loose.dtd\";>\n\n"; $_SESSION['header'] > .= "<html>\n<head>\n"; -$_SESSION['header'] .= "<meta > http-equiv=\"content-type\" content=\"text/html; charset=" . > $current_language[1] . "\">\n"; +$_SESSION['header'] .= "<meta > http-equiv=\"content-type\" content=\"text/html; charset=" . > htmlentities($current_language[1]) . "\">\n"; $_SESSION['header'] > .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta > http-equiv=\"cache-control\" content=\"no-cache\">"; > > /** > > > History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor > notified > > > > -- System Information: Debian Release: jessie/sid APT prefers > testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: > LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: > /bin/sh linked to /bin/dash > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlJlamcACgkQq/ywNCsrGZ58SgCfUFOWSltgfgJrzMO8CsDHRwKS ougAn3jeIxe3PsswAWNaPQCcFhDjDuPL =Zxx1 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
