[Secure-testing-team] Bug#726976: ldap-account-manager: Pre-Authentication Cross-Site-Scripting in current_language parameter

Eric Sesterhenn snakebyte at gmx.de
Mon Oct 21 06:49:16 UTC 2013 

Package: ldap-account-manager
Version: 4.3
Severity: grave
Tags: security
Justification: user security hole

=== Security Advisory ===

ldap-account-manager-4.3 - PreAuth XSS
------------------------------------------------------------

Affected Version
================
ldap-account-manager-4.3, ldap-account-manager-4.2.1
and possibly others

Problem Overview
================
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Debian / Roland Gruber
Reported by: Eric Sesterhenn <snakebyte at gmx.de>
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013001.txt
Advisory Status: Private

Problem Impact
==============
While taking a quick lock at the ldap account manager,
a XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim to post certain data
to the website.


Problem Description
===================
The file "./templates/login.php" contains an Cross-Site-Scripting
Issue on line 122. When the parameter current_language is set to
malicious input (e.g. foo%3A"><script>alert(1)</script>%3Abar)
JavaScript is executed in the victims' browser.
The parameter current_language is retrieved
from $_SESSION['language'] in line 119, which
is a copy of $_POST['language'] (line 117).


Temporary Workaround and Fix
============================
Apply the following patch to properly encode the variable:

--- templates/login.php.orig    2013-09-25 07:53:03.107208062 +0200
+++ templates/login.php 2013-09-25 07:53:20.715207533 +0200
@@ -119,7 +119,7 @@ if (isset($_POST['language'])) {
 $current_language = explode(":",$_SESSION['language']);
 $_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01
Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
 $_SESSION['header'] .= "<html>\n<head>\n";
-$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html;
charset=" . $current_language[1] . "\">\n";
+$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html;
charset=" . htmlentities($current_language[1]) . "\">\n";
 $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n
<meta http-equiv=\"cache-control\" content=\"no-cache\">";

 /**


History
=======
25.09.2013 - Issue detected
20.10.2013 - Vendor notified



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the Secure-testing-team mailing list