IBM Directory Server 4.1 Web Admin Gui (ldacgi.exe) XSS Vulnerability

["Oliver Karow" <Oliver.Karow () gmx de>]

IBM Directory Server 4.1 Web Admin Gui (ldacgi.exe) XSS Vulnerability
=====================================================================

During the audit of 3rd party product, based on IBM Directory Server,
i found a cross site scripting vulnerability on IBM's Directory Server 4.1
Web Admin Gui. The vuln exists due to the fact that ldacgi.exe does not
validate
the input regarding script code.


Version:
========

IBM Directory Server 4.1 ( IBM HTTP Server 1.3.19.2 Apache/1.3.20) running
on Windows platform.


Exploiting:
===========

https://server/ldap/cgi-bin/ldacgi.exe?Action=<script>alert("foo")</script>


Vendor:
=======

Website: http://www.ibm.com

Product: http://www-306.ibm.com/software/tivoli/products/directory-server/

Status: informed - but no reply within 7 days


Misc:
=====

The XSS exists in ldacgi.exe which will appear on the login-screen.
Its a vuln with a small impact, but user-input should always be validated :)

By the way.....requesting ldacgi3.exe (no auth. required) gives lot of
information about the accepted parameters of ldcgi.exe, which can be used to
start further attacks against ldacgi.exe.


Credit:
=======

Oliver.Karow[@]gmx.de
www.oliverkarow.de

-- 
+++ GMX - die erste Adresse für Mail, Message, More +++
Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net