Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 02 Feb 2012 12:15:26 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: phpldapadmin "base" Cross-Site Scripting Vulnerability

According to secunia advisory:
https://secunia.com/advisories/47852/

Input passed via the "base" parameter to cmd.php (when "cmd" is set to 
"query_engine") is not properly sanitised in lib/QueryRender.php before being 
returned to the user. This can be exploited to execute arbitrary HTML and 
script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 1.2.2. Other versions may also be 
affected.

Original Advisory:
https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546

Commit code:
http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f103220457bd

-- 
Agostino Sarubbo		ago -at- gentoo.org
Gentoo/AMD64 Arch Security Liaison
GPG: 0x7CD2DC5D

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.