Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 03 Feb 2012 01:48:52 -0700
From: Kurt Seifried <>
CC: Agostino Sarubbo <>
Subject: Re: CVE request: phpldapadmin "base" Cross-Site Scripting

On 02/02/2012 04:15 AM, Agostino Sarubbo wrote:
> According to secunia advisory: 
> Input passed via the "base" parameter to cmd.php (when "cmd" is set
> to "query_engine") is not properly sanitised in lib/QueryRender.php
> before being returned to the user. This can be exploited to execute
> arbitrary HTML and script code in a user's browser session in
> context of an affected site.
> The vulnerability is confirmed in version 1.2.2. Other versions may
> also be affected.
> Original Advisory: 
>  Commit code: 
Ah our missing friend htmlspecialchars. Please use CVE-2012-0834 for
this issue.

Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ