Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple vulnerabilities in LDAP Account Manager #170

Closed
Fumenoid opened this issue Apr 10, 2022 · 1 comment
Closed

Multiple vulnerabilities in LDAP Account Manager #170

Fumenoid opened this issue Apr 10, 2022 · 1 comment

Comments

@Fumenoid
Copy link

Hello..

I am a security researcher, and with my friend Manthan(@netsectuna), We reviewed the application and discovered multiple vulnerabilities.

  1. Stored XSS
    Description - The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page.
    Impact - Medium/High (depends on how the server profile is configured.. if ldap users and ldap admin both can login to ldap account manager, an ldap user can write save xss payloads to trigger tasks as admin)
    Affected URL - http://<IP>/templates/profedit/profilepage.php
    POC :
    As an authenticated user navigate to the URL - http://<IP>/templates/profedit/profilemain.php
    image
    Create a new user profile for either user or group (editing profile will also work) and in description field add the XSS payload "><script>alert(document.domain)</script>< and save the profile.
    image
    Now whenever any authenticated user will edit this profile page, XSS payload will be triggered.
    image
    image

  2. Arbitrary jpg/png file read
    Description - The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present).
    Impact - Low (Impact is low, due to highly unlikelihood of ldap admin knowing the locations of images having any sensitive/Personal information. One possible attack vector is to enumerate tools/software on the system by checking for icon images.. like in this POC we can verify the server has vim installed)
    Affected URL - http://<IP>/templates/pdfedit/pdfpage.php
    POC :
    As an authenticated user navigate to the URL - http://<IP>/templates/pdfedit/pdfmain.php
    image
    Create a new pdf structure for either user or group (editing profile will also work)
    image
    With burpsuite proxy on, click on save. In burpsuite, replace the value of logoFile parameter to the path of image file, lets say ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png for the icon file of vim and forward the request.
    image
    Now while exporting pdf for a user if that POC profile is selected, the exported pdf will have the vim logo image.
    image
    image

We would have loved to fix these ourselves.... but cries bcz of bad dev skills.

@gruberroland
Copy link
Contributor

Thank you very much for your detailed report. The issues were fixed in the codebase and be published with 8.0 in June.

gruberroland added a commit that referenced this issue Apr 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants