=== Security Advisory === ldap-account-manager-4.3 - PreAuth XSS ------------------------------------------------------------ Affected Version ================ ldap-account-manager-4.3, ldap-account-manager-4.2.1 and possibly others Problem Overview ================ Technical Risk: medium Likelihood of Exploitation: medium Vendor: Debian / Roland Gruber Reported by: Eric Sesterhenn Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013001.txt Advisory Status: Public CVE-ID: CVE-2013-4453 Problem Impact ============== While taking a quick lock at the ldap account manager, a XSS issue has been found. It is possible to execute JavaScript in a victims' browser after tricking the victim to post certain data to the website. Problem Description =================== The file "./templates/login.php" contains an Cross-Site-Scripting Issue on line 122. When the parameter current_language is set to malicious input (e.g. foo%3A">%3Abar) JavaScript is executed in the victims' browser. The parameter current_language is retrieved from $_SESSION['language'] in line 119, which is a copy of $_POST['language'] (line 117). Temporary Workaround and Fix ============================ Apply the following patch to properly encode the variable: --- templates/login.php.orig 2013-09-25 07:53:03.107208062 +0200 +++ templates/login.php 2013-09-25 07:53:20.715207533 +0200 @@ -119,7 +119,7 @@ if (isset($_POST['language'])) { $current_language = explode(":",$_SESSION['language']); $_SESSION['header'] = "\n\n"; $_SESSION['header'] .= "\n\n"; -$_SESSION['header'] .= "\n"; +$_SESSION['header'] .= "\n"; $_SESSION['header'] .= "\n "; /** History ======= 25.09.2013 - Issue detected 20.10.2013 - Vendor notified 21.10.2013 - Patch issued 22.11.2013 - Updated with CVE id: CVE-2013-4453