oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: phpldapadmin "base" Cross-Site Scripting Vulnerability

From: Agostino Sarubbo <ago () gentoo org>
Date: Thu, 02 Feb 2012 12:15:26 +0100
According to secunia advisory:
https://secunia.com/advisories/47852/

Input passed via the "base" parameter to cmd.php (when "cmd" is set to 
"query_engine") is not properly sanitised in lib/QueryRender.php before being 
returned to the user. This can be exploited to execute arbitrary HTML and 
script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 1.2.2. Other versions may also be 
affected.

Original Advisory:
https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546

Commit code:
http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f103220457bd

-- 
Agostino Sarubbo                ago -at- gentoo.org
Gentoo/AMD64 Arch Security Liaison
GPG: 0x7CD2DC5D

Attachment: signature.asc
Description: This is a digitally signed message part.

Previous By Date Next
Previous By Thread Next

Current thread: