Home / exploitsPDF  

Ldap-account-manager current_language Pre-Auth Cross-Site-Scripting

Posted on 22 October 2013

=== Security Advisory ===

ldap-account-manager-4.3 - PreAuth XSS
------------------------------------------------------------

Affected Version
================
ldap-account-manager-4.3, ldap-account-manager-4.2.1
and possibly others

Problem Overview
================
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Debian / Roland Gruber
Reported by: Eric Sesterhenn <snakebyte@gmx.de>
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013001.txt
Advisory Status: Private

Problem Impact
==============
While taking a quick lock at the ldap account manager,
a XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim to post certain data
to the website.


Problem Description
===================
The file "./templates/login.php" contains an Cross-Site-Scripting
Issue on line 122. When the parameter current_language is set to
malicious input (e.g. foo%3A"><script>alert(1)</script>%3Abar)
JavaScript is executed in the victims' browser.
The parameter current_language is retrieved
from $_SESSION['language'] in line 119, which
is a copy of $_POST['language'] (line 117).


Temporary Workaround and Fix
============================
Apply the following patch to properly encode the variable:

--- templates/login.php.orig    2013-09-25 07:53:03.107208062 +0200
+++ templates/login.php 2013-09-25 07:53:20.715207533 +0200
@@ -119,7 +119,7 @@ if (isset($_POST['language'])) {
 $current_language = explode(":",$_SESSION['language']);
 $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

";
 $_SESSION['header'] .= "<html>
<head>
";
-$_SESSION['header'] .= "<meta http-equiv="content-type" content="text/html;
charset=" . $current_language[1] . "">
";
+$_SESSION['header'] .= "<meta http-equiv="content-type" content="text/html;
charset=" . htmlentities($current_language[1]) . "">
";
 $_SESSION['header'] .= "<meta http-equiv="pragma" content="no-cache">

<meta http-equiv="cache-control" content="no-cache">";

 /**


History
=======
25.09.2013 - Issue detected
20.10.2013 - Vendor notified



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

 

TOP

Malware :

Exploits :