phamm: CVE-2017-0378: reflected XSS in login page

[Salvatore Bonaccorso <carnil () debian org>]

Hi

John Lightsey found a reflected XSS vulnerability in phamm login page.
phamm is a PHP front-end to manage virtual services on LDAP.

Quoting his report in Debian[0]:

> While looking through codesearch.debian.net I noticed that phamm's
> views/helpers.php uses $_SERVER['PHP_SELF'] in a way that is
> vulnerable to reflected XSS attacks.
>
> To reproduce the problem, load a URL like this in Firefox:
>
> http://127.0.0.1/phamm/main.php/%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

Refrences:
 [0] https://bugs.debian.org/868988
 [1] https://github.com/lota/phamm/issues/21

Regards,
Salvatore