phpLDAPadmin <= 1.2.3 'entry_chooser.php' Multiple Cross-Site Scripting

Bug #1701731 reported by Ismail on 2017-06-30
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpLDAPadmin
Confirmed
Unknown
phpldapadmin (Ubuntu)
Undecided
Unassigned

Bug Description

$request['form'] and $request['rdn'] parameters in file htdocs/entry_chooser.php aren't properly sanitized before being echoed to the user, which allows a remote attacker to inject arbitrary HTML/Javascript code in a user's context.

18 $request['form'] = get_request('form','GET');
..
20 $request['rdn'] = get_request('rdn','GET');
..
27 printf(" eval ('o = opener.document.getElementById(\"%s\").%s;');",$request['form'],$request['element']);
..
74 $href['return'] = sprintf("javascript:returnDN('%s%s')",($request['rdn'] ? sprintf('%s,',$request['rdn']) : ''),str_replace('\\','\\\\',$dn));

This vulnerability, if successfully exploited, can lead to data manipulation or information leakage as it is demonstrated in the PoC video.

# PoC Video:

https://www.youtube.com/watch?v=Ww7LD_bmH-o

# Affected versions

Versions from 1.1.0 to 1.2.3

Ubuntu release: 16.04.2 LTS
Package version: 1.2.2-5.2ubuntu2

CVE References

Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in phpldapadmin (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Ismail (xd4rker) wrote :

Here is a debdiff.

The attachment "phpldapadmin_1.2.2-5.2ubuntu2.1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Changed in phpldapadmin (Ubuntu):
status: Incomplete → Triaged
Seth Arnold (seth-arnold) wrote :

Hello Ismail, thanks for taking on this task.

There's a few small things that I'd like changed before we sponsor this:

- Since Ubuntu doesn't really have package 'maintainers', there's no need to point out it's a non-maintainer upload
- We like the security updates to all have consistent formatting as described on: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
- We like the patches to have DEP-3 tags to indicate at least where the patch came from, so future readers can verify patches independently. (While DEP-3 is kind of complicated and involved, it's basically just adding Subject: with something short and descriptive and Origin: with a link to the patch.) The full DEP-3 guide is at http://dep.debian.net/deps/dep3/ but don't feel compelled to read it unless I did a poor job describing it here.

Could you submit a new patch with these items fixed up?

Thanks

Ismail (xd4rker) wrote :

Hello Seth, Thank you for replying.

I hope this one will do.

Seth Arnold (seth-arnold) wrote :

Very nice, thanks; I've asked what I think is upstream for feedback https://github.com/leenooks/phpLDAPadmin/issues/50

Thanks

Emily Ratliff (emilyr) wrote :

Thanks for providing the debdiff. This package has been built and is available in the security-proposed PPA for testing.
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpldapadmin - 1.2.2-5.2ubuntu2.1

---------------
phpldapadmin (1.2.2-5.2ubuntu2.1) xenial-security; urgency=low

  * SECURITY UPDATE: Multiple Cross-Site Scripting vulnerabilities in
    file htdocs/entry_chooser.php (LP: #1701731)
    - debian/patches/fix-XSS-3.patch: sanitize user inputs in
      file htdocs/entry_chooser.php.
    - CVE-2017-11107

 -- Ismail Belkacim <email address hidden> Fri, 07 Jul 2017 05:38:54 -0700

Changed in phpldapadmin (Ubuntu):
status: Triaged → Fix Released
Changed in phpldapadmin:
status: Unknown → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.