Date: Thu, 02 Feb 2012 12:15:26 +0100 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: CVE request: phpldapadmin "base" Cross-Site Scripting Vulnerability According to secunia advisory: https://secunia.com/advisories/47852/ Input passed via the "base" parameter to cmd.php (when "cmd" is set to "query_engine") is not properly sanitised in lib/QueryRender.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 1.2.2. Other versions may also be affected. Original Advisory: https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546 Commit code: http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f103220457bd -- Agostino Sarubbo ago -at- gentoo.org Gentoo/AMD64 Arch Security Liaison GPG: 0x7CD2DC5D [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ