oss-sec mailing list archives
Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws
From: Roland Gruber <post () rolandgruber de>
Date: Mon, 12 Mar 2012 23:02:20 +0100
Hi all, On 12.03.2012 12:18, Jan Lieskovsky wrote:
Can we consider the CVE-2012-1114, CVE-2012-1115 identifiers below to be valid also for phpLDAPAdmin code?
yes.
Roland, could you clarify, if phpLDAPAdmin code would be vulnerable to all issues listed for LDAP Account Manager too or if phpLDAPAdmin would be vulnerable only for XSS issues when processing: i) 'export', ii) 'add_value_form' iii) and 'dn' variables?
phpLDAPadmin is vulnerable to i, ii and iii.
And LDAP Account Manager would be vulnerable yet to additional XSS flaws, due improper sanitization of 'filteruid', 'type', and 'cmd' variables? (and these would be LDAP Account Manager specific)
Regarding the filteruid problem I cannot reproduce this. The variable is properly sanitized. This is a LAM only thing. -- Best regards Roland
Current thread:
- CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Jan Lieskovsky (Mar 05)
- Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Kurt Seifried (Mar 05)
- Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Jan Lieskovsky (Mar 12)
- Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Roland Gruber (Mar 12)
- Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Jan Lieskovsky (Mar 12)
- Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Roland Gruber (Mar 05)
- Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Dmitry Butskoy (Mar 06)
- Re: CVE Request -- LDAP Account Manager Pro / PhpLDAPadmin -- Multiple XSS flaws Kurt Seifried (Mar 05)